Security researcher Adam Gowdiak ([SE-2012-01] An issue with new Java SE 7 security features) notes recent claims by Oracle that it has substantially improved Java security. Sadly, he points out, those improvements are only theoretical.
What we found out and what is a subject of a new security vulnerability (Issue 53) is that unsigned Java code can be successfully executed on a target Windows system regardless of the four Java Control Panel settings described above. Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with “Very High” Java Control Panel security settings.
That said, recently made security “improvements” to Java SE 7 software don’t prevent silent exploits at all. Users that require Java content in the web browser need to rely on a Click to Play technology implemented by several web browser vendors in order to mitigate the risk of a silent Java Plugin exploit.
I’ve said it before and I’ll say it again: If you are concerned about the security of your PC and network you should seriously consider uninstalling Java from all PCs under your control.
If you use web-based apps that require Java, you should conduct an active search for alternatives. If you cannot find alternatives, you should consider running Java only in highly managed virtual environments.
The fact that Java uses deceptive techniques to distribute unwanted software with its security updates just adds insult to its serious potential for injury.