[ISN] Oracle’s Java security update lacking, experts say

http://www.csoonline.com/article/724327/oracle-s-java-security-update-lacking-experts-say By Antone Gonsalves CSO December 19, 2012 Oracle’s latest update of the Java Development Kit fails to go far enough in fixing the security-troubled platform, bringing only marginal improvements instead, experts say. Among the improvements in Java SE Development Kit 7, Update 10 (JDK 7u10) is the ability to use the control panel to prevent Java applications from running in browsers. Vulnerabilities in Java are a major target for cybercriminals hoping to infect computers with malware. That’s because hackers know many people do not keep the Java plug-in for browsers up to date, leaving old flaws open to exploitation. This has resulted in a high success rate for attackers. In 2011, an exploit integrated into the Blackhole toolkit, a hacker favorite, had more than an 80 percent success rate, according to HP’s security research division. Other improvements in JDK 7u10 include using the control panel to choose from four levels of security for unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. In addition, Oracle has added a dialogue box that will warn people when the Java plug-in needs to be updated to prevent exploits. […] ______________________________________________ Visit the InfoSec News Security Bookstore Best Selling Security Books and More! http://www.shopinfosecnews.org