With over a billion installations, Java is in everything from your computer to your thermostat, and nefarious hackers are taking note. Attacks have been coming fast and furious, with Flashback hitting the Mac platform last spring, and more recent updates impacting all platforms. The United States government even recommended that users disable Java from their browsers.
Now it appears there is yet another Java vulnerability running rampant in the world, despite the fact that it was updated again last week. According to PC World, researchers at Poland-based Security Explorations found not one, but two new vulnerabilities that allow attackers to run arbitrary code on a user’s machine. Neither vulnerability is related to the ones identified in the past couple of weeks, so further attacks are also possible. The specifics of the attack are not being released, giving Oracle time to fix the problem before the bad guys learn how to break it.
On the bright side, Java 7 Update 11 prompts users to confirm whether an applet should be run or not, making it a bit more difficult to run attack code. Unfortunately, most users blindly click “yes” to any prompt they see, so it’s not a great level of protection. The site “Krebs on Security” has a nice article on how to disable Java on various browsers running on both Windows and Mac, so it’s worth checking out if you don’t know how to do it yourself.