The train-wreck of Java issues keeps on piling up, and once again Apple and Mozilla have stepped in to try to corral the damage. Earlier this month, both companies disabled Java browser plugins in response to the serious zero-day exploits that were found to be circulating for the latest version of Java. Oracle quickly released an update that covered the hole that was being actively exploited, but that was not the end of the problem for them or for Java users.
Immediately after releasing the update, researchers discovered problems with the update. First, while the Java update did fix the active exploit problem, it didn’t fix both vulnerabilities that contributed to the problem. At this point, Mozilla moved to include Java 7u11 in its Click to Play protection, which would force users to actively acknowledge Java content by clicking on it rather than simply letting it automatically run.
In the 7u11 update, Oracle too had increased their security settings to require users to click unsigned Java applets. But predictably, researchers soon found ways around this protection.
Oracle’s management has begun to acknowledge the sad state of affairs that is Java security. Milton Smith, Oracle’s Java security lead, also announced that Oracle would be working to improve their communication about security efforts as they try to shore things up.
Rather than waiting for what is likely to be a very long process of completely fixing the Java browser plugin, this morning Apple decided to once again block the Java plugin with XProtect:
Hopefully, all this added attention will prompt Oracle to step up the pace in fixing Java in the browser. As it stands, Java is one of the most attractive targets for cybercriminals – it has a huge number of known, outstanding vulnerabilities and a huge install base on all the major operating systems. But if major browser vendors continue to block its plugin and users learn to live without it, that may not be the case for much longer.