The Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT) has issued an alert about a vulnerability in Java 7 that “allows a Java applet to grant itself permission to execute arbitrary code.” A hacker could exploit this by linking to a malicious website or loading the applet on a legitimate website (a “drive-by download” attack).
An earlier alert includes detailed instruction for disabling Java. “Disabling the Java plug-in for Internet Explorer is significantly more complicated than with other browsers,” CERT warns. Just disabling the plug-in in IE is not enough. To fully protect your computer you’ll need to edit the registry. If you’re uncomfortable doing that, then you should uninstall Java 7 through your control panel.
Mozilla has announced they are taking proactive action to protect its users by enabling Click To Play.
The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.
Oracle has released Java Version 7 Update 11. The patch switches the default security setting from medium to high, which will require applets to ask for permission before running.