Java's misfortunes continued when later in the month Security Explorations, a Polish security firm with a history of finding security flaws in Java, discovered new vulnerabilities in the 7u11 update that could be exploited to avoid the program's sandbox--a programming technique used to isolate the damage malicious code can do to a system.
"These problems will continue until Oracle fixes the sandbox," Bitdefender Senior E-Threat Analyst Bogdan Botezatu said in an interview.
Botezatu was critical of how much Oracle relied put on users to maintain security in the 7u11 update.
For example, the update sets, by default, the highest security level for Java. At that level, whenever an unsigned Java applet tries to run in a browser, a message pops up cautioning a user that the app may be dangerous and that the user should proceed at their own risk.
Typically, users ignore such warnings because they find them annoying. That's particularly true for children who play Java games on the Web--a fact, Botezatu points out, not lost on digital desperadoes. "I've seen lots of websites running Java malware on pages that have been optimized with keywords targeted at children," he said.
With the latest Java update, Oracle may be trying to change its luck with the program. It appears to have skipped update 12 in its numbering scheme and designated the latest bundle of fixes Java 7 update 13.