October 21, 2016

Java SE 7u10 can disable applets in the browser

(LiveHacking.Com) – Oracle has released an update to its Java 7 platform with a number of new security features. Java has been a topic of much debate recently due to the number of zero-day vulnerabilities found in its run time libraries. The result of all these security problems has been two-fold. First, Java has been used by malware writers as a way to infect PCs by using drive-by downloads. Second, security professionals and publications (including this one) have been encouraging users to disable or uninstall Java completely unless it is absolutely necessary to have it running.

Update 10 adds three security enhancements: 1) the ability to disable any Java application from running in the browser, 2) the ability to select the desired level of security for unsigned applets, 3) warnings when the JRE is insecure.

Apple was the first to add these kinds of enhancements to Java (for OS X) when it released a Java update for OS X that configured all installed web browsers to not automatically run Java applets. It also added the feature to disable the web plug-in if no applets had been run for an extended period of time.

The new ability to disable any Java applications from running in the browser can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument. Although enabled by default, de-selecting the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab) will prevent any Java application from running in the browser.

There are now four new levels of security which can be set to control the level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. This to is set from the Java Control Panel.

Finally, if the installed JRE is deemed to be insecure because it has expired or is below a predefined (by Oracle) security baseline, then newly implemented dialogs will be displayed urging the user to upgrade to a newer version of Java. The expiry date is hard coded and if the Java updater has not been able to check for an update prior to this date, the Java runtime will assume that it is insecure and start warning the user prior to executing any applets.

The Java SE 7 run time can be downloaded from here, while the JDK is available here.

Oracle Releases Critical Patch Update for Java

(LiveHacking.Com) – Oracle has released a collection of patches to address multiple security vulnerabilities in Java. The “Critical Patch Update” contains 14 security fixes for the following products:

  • JDK and JRE 7 Update 2 and earlier
  • JDK and JRE 5 Update 30 and earlier
  • JDK and JRE 5.0 Update 33 and earlier
  • SDK and JRE 1.4.2_35 and earlier
  • JavaFX 2.0.2 and earlier

All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Little else is known about the patches except that 5 of the 14 have a Common Vulnerability Scoring System (CVSS), the severity ratings system used by Oracle, of 10 out of 10.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply the update fixes as soon as possible.