As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.

Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.

So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.

Is Oracle losing ground in this battle? Sure feels like it.