Researchers from the Polish firm Security Explorations have identified a serious vulnerability in the latest version of Java that completely bypasses the new security level Oracle recently introduced for Java applets. Coupled with the two other vulnerabilities discovered by the same firm less than two weeks ago, Java users are once again as vulnerable as they were before the latest update.
Some background is required. As we noted when Java 7 Update 11 was released, Oracle changed the default Java Security Level setting from Medium to High, meaning the user is now always prompted before any unsigned Java applet or Java Web Start application is run. This is to prevent drive-by-downloads, as Oracle explains:
This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.