Although there's no evidence of hackers exploiting the newest vulnerability, Gowdiak hinted that it wouldn't be difficult for them to do so. "It should be considered in terms of a big miss by Oracle," Gowdiak said. "We were truly surprised to find out how trivial it is to bypass these new security settings."
Hackers have stepped up their attacks against Java and its browser plug-in, with some security firms estimating that they account for more than half of all attempted exploits. Most often, Java exploits are used to conduct "drive-by" attacks, or ones that install malware on PCs and Macs after their owners simply browse to compromised or malicious websites.
Gowdiak published his claim just days after Oracle released a recording of a conference call between Milton Smith, the senior principal product manager who oversees Java security, and Java user group leaders, to discuss the recent vulnerabilities and steps Oracle was taking.
During the call, Smith touted the security enhancements to Java 7, including the introduction of the settings in Update 10, and the change of the default from "Medium" to "High" in Update 11. "[They] effectively make it so that unsigned applets won't run without a warning," Smith said of the security settings. "Some of the things we were seeing were silent exploits, where people would click on a link in an email and unwittingly compromise a machine. But now those features really prevent that. Even if Java did have an exploit, it would be very hard to do it silently."
According to Gowdiak, that's exactly what the newest vulnerability could let attackers do. "Recently made security improvements to Java 7 don't prevent silent exploits at all," Gowdiak wrote on Bugtraq.
When asked how users who must run Java in their browser should protect themselves against possible exploits, Gowdiak repeated his earlier suggestion that people turn to a browser with "click-to-play," a feature that forces users to explicitly authorize a plug-in's execution. Both Chrome and Firefox include click-to-play.
"That may help prevent automatic and silent exploitation of known and not-yet-addressed Java plug-in vulnerabilities," Gowdiak said.