September 19, 2014

Java SE 7u10 can disable applets in the browser

(LiveHacking.Com) – Oracle has released an update to its Java 7 platform with a number of new security features. Java has been a topic of much debate recently due to the number of zero-day vulnerabilities found in its run time libraries. The result of all these security problems has been two-fold. First, Java has been used by malware writers as a way to infect PCs by using drive-by downloads. Second, security professionals and publications (including this one) have been encouraging users to disable or uninstall Java completely unless it is absolutely necessary to have it running.

Update 10 adds three security enhancements: 1) the ability to disable any Java application from running in the browser, 2) the ability to select the desired level of security for unsigned applets, 3) warnings when the JRE is insecure.

Apple was the first to add these kinds of enhancements to Java (for OS X) when it released a Java update for OS X that configured all installed web browsers to not automatically run Java applets. It also added the feature to disable the web plug-in if no applets had been run for an extended period of time.

The new ability to disable any Java applications from running in the browser can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument. Although enabled by default, de-selecting the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab) will prevent any Java application from running in the browser.

There are now four new levels of security which can be set to control the level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. This to is set from the Java Control Panel.

Finally, if the installed JRE is deemed to be insecure because it has expired or is below a predefined (by Oracle) security baseline, then newly implemented dialogs will be displayed urging the user to upgrade to a newer version of Java. The expiry date is hard coded and if the Java updater has not been able to check for an update prior to this date, the Java runtime will assume that it is insecure and start warning the user prior to executing any applets.

The Java SE 7 run time can be downloaded from here, while the JDK is available here.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks