There is a new Java released a couple days ago to resolve a hole that was recently discovered.
(Oracle, US-CERT, NVD/NIST)
In my initial reading about this update 11, I saw clearly where it by default partially disabled the run-without-asking functionality, but didn't see where it was actually fixing the underlying problem. So, is the following info correct?
- Is the vulnerability on the Java sandbox found in both 7u10 and 7u11?
- Am I right that this is almost exclusively a problem with the Java plug-in (web browsing with Java enabled), but does have consequences in some generally unknown applications that make use of the sandbox.
- Is it true that the only way to sidestep the problem is to prevent code you don't trust from running. (either disable Java, or adjust to always ask before running applets)
- Is it true that the only relevant difference between 7u10 and 7u11 is that instead of (by default) running applets without asking, Java 7u11 will ask the user before running unsigned applets, while remaining to run signed apps without asking. Which would mean that signed apps can still be used to exploit the vulnerability?