Both Oracle and Microsoft have patches out this week that will require immediate attention from millions of users and enterprise IT admins.
In the case of the Oracle Java flaw, the issue was first publicly reported late Thursday and triggered a US CERT alert. The vulnerability in question enables unprivileged code to access restricted classes and potentially execute arbitrary code. The Java vulnerability is particularly dangerous because it affects all versions of Java across all Windows, Mac and Linux operating systems.
Oracle issued a fix for the issue with Java 7 update 11 (7u11) which also makes a significant change to the default security level setting. The default security setting is now at high, moving up from the medium setting in use for 7u10.
“By changing the default security level to ‘high’ it ensures that, by default, users will need to click on a Java applet to allow it to run,” Alex Kirk, senior research engineer with Sourcefire, told eSecurity Planet.