Skip to Content

New Oracle Java Vulnerability

The Naked Security blog from security software developer Sophos, recently reported on a new vulnerability discovered in Oracle Java. Allegedly, malware authors can forge the security warning that pops up (pictured) when a Java applet is run from a web browser. Therefore, users could be tricked into thinking they are running a Java applet from a trusted publisher.

From the article:

JavaWarning500

When you download the applet with Java, you are prompted to run the applet with a warning that Java applets can be dangerous, the name of the applet, the publisher and the URL serving it to you.

While the name can be anything, it is usually there to remind you of why you want to run this Java program.

The publisher should provide a clue as to whether it is from the expected source and the URL verifies that it is coming from the expected site.

What [our source] discovered is that you can forge both the application name and the URL to be anything you want. In essence, they’re doing it wrong.

If you do you not use Java, it is highly recommended that you turn it off in your web browser. If you must use websites that require you to have Java installed, consider disabling it in your main browser and  have an alternative browser just for visiting that website.

(Hat tip, Jay Lindly)