Researcher Adam Gowdiak, founder and CEO of Security Explorations, has revealed that the security settings in the current version of Java can simply be ignored. The Java Control Panel has a slider under the Security tab “to control the behavior when attempting to run unsigned apps (either from the web or local).” The settings are low, medium, high and very high. “It can be thought of,” says Oracle, “as the ability to control the level of notification you will receive when the browser attempts to run unsigned Java apps.”
The problem, says Gowdiak, “is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above.” He developed a proof of concept, which he hasn’t disclosed, that “has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with ‘Very High’ Java Control Panel security settings.”
He goes on to warn that Java’s recent security improvements simply have no effect on ‘silent exploits.’ “Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.”
“If Oracle wants Java to be successful within the browser they will need to make serious investments into the security model and their ability to respond quickly to new threats,” said HD Moore, the CSO at Rapid7. “Securing the Java applet model is difficult - Java is a legacy code base, it has an extremely wide scope (enterprise, mobile, browser), and the existing security model is internal to the interpreter. Java would benefit from a process-level sandbox and a drastic change in the APIs available to untrusted applets.”
It clearly remains sound advice to disable or remove Java if it isn’t needed. But one of the problems with Java is that it is so ubiquitous. While reporting on Gowdiak’s warning, the latest SANS newsletter comments, “Web conferencing and SSL VPN applications typically require Java-enabled browsers. I had disabled Java from my browsers, and needed to enable it to get on a web customer conference call. This is a problem for the enterprise employees. If they don't remember to turn off Java after being used, they become vulnerable!”