Oracle has quickly whipped up a fix for its much-maligned Java, after the US Department of Homeland Security recommended web users disable or remove the software to secure their internet use. Java 7 Update 11, released late on Sunday, changes the default security settings so that unsigned Java applets or Web Start applications prompt for permission to run first, as opposed to the potentially dangerous previous behavior where they could operate without permission.
According to Oracle’s release notes for Update 11, that’s the most significant change, and one which instantly adds an extra degree of protection to users. The DoHS’s concern had been that malicious web content could run without any checks by default, presenting a malware or phishing risk, among other things.
“The default security level for Java applets and web start applications has been increased from “Medium” to “High”. This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation”
Meanwhile, the update also addresses other, unspecified fixes for security vulnerabilities. Still outstanding, however, are a couple of issues; one, where the security level slider no longer indicates the correct level of the settings, in some circumstances, in addition to some JavaFX plugin issues. Oracle suggests uninstalling the standalone copy of JavaFX 2.x to address it, though will release a subsequent update to fix it properly.