Further flaws have been found in Java despite Oracle pledging to take the security of its software seriously.
Polish infosec researcher Adam Gowdiak of Security Explorations yesterday revealed his company had found a way to bypass recently introduced security controls for Java, which Oracle said would stop malicious code from executing without users' knowledge.
The Java SE 7 update 10, released October 2012, offers users four security levels to control when unsigned Java apps can run in the web brower: Low, Medium, High and Very High. Set to High, users are prompted before unsigned apps run in the brower. Under the Very High security setting, unsigned Java apps should not run at all.
The new features were touted as being "significant improvements" by Oracle's security principal Milton Smith.
But Gowdiak claimed proof of concept code meant attackers could run unsigned and malicious Java code without users being prompted, irrespective of security settings.
"Unsigned Java code can be succesfully executed on target Windows systems regardless of the four Java control panel [security] settings," Gowdiak wrote.
Gowdiak's company dubbed the new exploit Issue 53 and said it will successfully execute in the latest Java SE Update 11 under Windows 7 at the Very High security level.
So-called drive by exploits that silently inject malicious code into users' systems when they visit compromised sites aren't prevented with Oracle's recent security improvements to Java, Gowdiak claimed.
Instead, users have to rely on browser vendors using "click to play" to manually provide permission before code is executed, to mitigate against Java plugin exploits, Gowdiak advised.
Due to the many security flaws in the software, Java has become popular with attackers to create zero-day exploits.
One such exploit was used in the global spy operation Red October, where attackers triggered a vulnerability in Java to download malicious code in the background, which was then automatically executed to steal data, according to Israeli security researchers Seculert.
Due to the numerous security flaws, experts and government infosec organisations currently recommend that users disable Java from their browsers or remove the software completely.