Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Java SE 7 Now Lets Administrators Control What Versions Can Run Where

 Oracle Rolls Out New Monitoring, Security Features for Java SE 7

 Oracle Rolls Out New Monitoring, Security Features for Java SE 7

Oracle on Wednesday announced the availability of the Oracle Java Development Kit (JDK) 7 Update 40 (JDK 7u40), a release that gives system administrators more control over Java running on desktops, along with several other enhancements.

The latest security feature being introduced is called “Deployment Rule Set,” a feature that allows a system administrator to control which applets or Java Web Start applications an end user is permitted to execute and which version of the Java Runtime Environment (JRE) is associated with them.

Java Software LogoAccording to a recent study from Bit9, the majority of enterprises likely have more than one version of Java installed on endpoints, and many of them still are running outdated versions of Java 6. After analyzing roughly one million endpoints across several hundred deployments, Bit9 researchers found that 42 percent of endpoints had more than two versions of Java installed at the same time. 

This happens because running the installer creates a new instance of Java on the system without removing the older versions, Harry Svedlove, CTO of Bit9, told SecurityWeek previously.

As Oracle’s Erik Costlow explains in a blog post, the deployment rule set available in JDK 7u40 addresses two major points: 

1. The desktop administrator’s ability to control Java version compatibility, and default choices on the end-user’s desktop. For example your users may use most recent security updates for most browser applets but still use an old Java 1.6 for that one legacy application that is no longer maintained.


2. The end-user’s awareness of who created the application and their default interaction (ask, run, or block). By seeing the actual company or signer, the user is protected from running code by someone that they do not know. For example, I would trust “My University” or “Erik Costlow” but not “Unknown publisher” or someone else claiming to be me.

Deployment Rule Set provides a common environment to manage employee access in a controlled and secure manner, Oracle said.  

Advertisement. Scroll to continue reading.

Other features and enhancements to JDK 7 include advanced monitoring and diagnostic capabilities that enable customers to gather detailed runtime information and perform efficient data analysis, improved performance and efficiencies for Java on ARM servers, and support for Mac OS X retina displays.

The software giant also said that Oracle Java Mission Control and Oracle Java Flight Recorder are now available as commercial features in the Oracle Java SE Advanced offering.

Oracle Java Mission Control and Oracle Java Flight Recorder continuously collect detailed runtime information, with little overheard, from the JVM and other event producers, such as application servers, Oracle explained.

Customers can use the graphical tools for profiling and after-the-fact incident analysis to understand and resolve issues and for monitoring and fulfilling service level agreements (SLAs).

With expanded support for Apple hardware, Java will now recognize Mac OS X retina displays and automatically generate higher resolution graphics.

“With JDK 7 Update 40 Oracle and the Java community are delivering features and enhancements to the Java platform that provide advanced monitoring and analysis of Java application data, which will help enterprise customers more rapidly analyze, understand and resolve issues; greater security and control over end user Java environments for system administrators; increased efficiency and responsiveness of Java applications running on ARM servers and an overall improved user experience for both developers and end users,” said Georges Saab, vice president of Java SE development, Oracle.

Early this year, Oracle acknowledged the security concerns surrounding Java. In a public acknowledgement of these concerns in January, Oracle’s Milton Smith, head of Java security, held a conference call where he promised increased efforts to communicate with the Java community about security, but agreed that talking about it would not be enough.

“No amount of talking or smoothing over is going to make anybody happy or do anything for us,” Smith said at the time. “We have to fix Java.”

Oracle will highlight the latest Java technology updates at its JavaOne conference taking place in San Francisco from September 22-26.

Related: The Unique Challenges of Controlling Java Exploits

RelatedUnpatched Java Versions Remain Widely Used: Report

Related: Oracle Talks Java Security, Pledges More Outreach

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.