Not Grif but.. in regard to Exploit:Java/CVE-2011-3544

by Carol~ Moderator - 1/28/13 10:31 AM

In Reply to: Which is the latest update? by raduzhok

' I note that I currently am running V7update9 of Java. Have there been newer updates since that update was issued?

The latest release was Java 7u11. More about it below.

I don't know if you found where the warning came from (with 7u9 installed), but have a look at what Microsoft has to say about Exploit:Java/CVE-2011-3544 . Scroll down to "Recovery" at the bottom, where you will read:

'To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat: Microsoft Security Essentials or, for Windows 8, Windows Defender''

Update vulnerable Java applications

This threat exploits a known vulnerability in Java. After removing this threat, make sure that you install the updates available from the vendor. You can read more about this vulnerability in Java, as well as where to download the software update from the following links:

Java Download

My guess would be .. MSE is detecting the vulnerable update. Be it 7u9 or possibly 7u11.

Also see "Protecting Users Against Java Vulnerability" at the Mozilla Security Blog, where it states:

"Mozilla is extending Click to Play for Java 7u11 due to reports of exploit code available for 7u11 and information that all elements of the original Java bug have not been fully addressed by Oracle in the 7u11 patch."

""The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site."

You stated you had chosen not to upgrade until you hear Java released a fully secure update. As has been noted here and elsewhere, shortly after Java 7u11 was released, the update was reported as "broken and incomplete". Will it ever be fully secure?