New Java Security Undone By Stolen Certificate

Security protection added by Oracle to the latest Java release has been undone by a revoked certificate, according to researchers.

Ars Technica reports that a certificate used by Texas-based Clearesult Consulting Inc. revoked by GoDaddy in December. But "Java thinks the stolen certificate used is 100% valid and should be trusted," said Jindrich Kubec, director of threat intelligence at antivirus provider Avast in an email to Ars Technica.

The publication advises users running Java "should access the program's advanced settings and check the box next to "Check certificates for revocation using Certificate Revocation Lists (CRLs) and set Java's security level to "very high" under the general security tab."