After Oracle announced a fix was coming just yesterday, on Sunday Oracle have released yet another update (Java 7 Update 11) to address a security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website, direct links found at bottom of this page.
In the release notes for the 7u11 update, Oracle notes that this version "contains fixes for security vulnerabilities." A finer look at Oracle Security Alert for CVE-2013-0422 shows that Update 11 actually fixes two vulnerabilities!
In addition, these fixes include a change to the default Java Security Level setting from Medium to High, which means the user is now ALWAYS prompted before any unsigned Java applet or Java Web Start application is actually run. This is to prevent "drive-by-downloads", as Oracle describes:
This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.
With this latest update, the most recent Java security fiasco is over, but the security nightmare is far from over.
On Thursday the 24th of January, the US Computer Emergency Readiness Team (US-CERT), which is part of the National Cyber Security Division of the Department of Homeland Security, issued the following vulnerability note:
Overview - Java 7 Update 10 and earlier contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description - Java 7 Update 10 and earlier contain an unspecified remote-code-execution vulnerability. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits.
Impact - By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
The critical security hole, which allowed attackers to effectively run malicious software on a victim's machine, was quickly exploited on the net and made publicly available and in commonly found exploit kits. Later on in the same day, Apple Inc blocked Java 7 on their OS X 10.6 and up operating systems to protect their valuable Mac users from such an exploit.