After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you should download the latest update now from the Java Control Panel or directly from Oracle’s website here: Java SE 7u11. Always visit the Programs and Features app in your control panel to uninstall any previous versions.
In the release notes for this update, Oracle notes this version “contains fixes for security vulnerabilities.” A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities.
Furthermore, the fixes include a change to the default Java Security Level setting from Medium to High, meaning the user is now always prompted before any unsigned Java applet or Java Web Start application is run. This is to prevent drive-by-downloads. Our experience is that Java is by far the most exploited web browser plugin. We still recommend that users that don’t have a specific need for Java should just uninstall it.
The “drive-by” attacks that use browser plugins take advantage of the fact that merely visiting a website that contains the malicious code while running the vulnerable plugin is sufficient to run the code with full administrative rights – as though the user has chosen to install the malicious software (malware).
Always perform the updates when you see the orange coffee cup in the “tray” area. Again, if in doubt, remove Java altogether – every version you see in “Add and Remove Programs” or “Programs and Features”. Chances are you don’t need it, and if you do, you’ll be prompted to install the latest version.