Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Java SE 7 Now Lets Administrators Control What Versions Can Run Where

 Oracle Rolls Out New Monitoring, Security Features for Java SE 7

 Oracle Rolls Out New Monitoring, Security Features for Java SE 7

Oracle on Wednesday announced the availability of the Oracle Java Development Kit (JDK) 7 Update 40 (JDK 7u40), a release that gives system administrators more control over Java running on desktops, along with several other enhancements.

The latest security feature being introduced is called “Deployment Rule Set,” a feature that allows a system administrator to control which applets or Java Web Start applications an end user is permitted to execute and which version of the Java Runtime Environment (JRE) is associated with them.

Java Software LogoAccording to a recent study from Bit9, the majority of enterprises likely have more than one version of Java installed on endpoints, and many of them still are running outdated versions of Java 6. After analyzing roughly one million endpoints across several hundred deployments, Bit9 researchers found that 42 percent of endpoints had more than two versions of Java installed at the same time. 

This happens because running the installer creates a new instance of Java on the system without removing the older versions, Harry Svedlove, CTO of Bit9, told SecurityWeek previously.

As Oracle’s Erik Costlow explains in a blog post, the deployment rule set available in JDK 7u40 addresses two major points: 

1. The desktop administrator’s ability to control Java version compatibility, and default choices on the end-user’s desktop. For example your users may use most recent security updates for most browser applets but still use an old Java 1.6 for that one legacy application that is no longer maintained.


2. The end-user’s awareness of who created the application and their default interaction (ask, run, or block). By seeing the actual company or signer, the user is protected from running code by someone that they do not know. For example, I would trust “My University” or “Erik Costlow” but not “Unknown publisher” or someone else claiming to be me.

Deployment Rule Set provides a common environment to manage employee access in a controlled and secure manner, Oracle said.  

Other features and enhancements to JDK 7 include advanced monitoring and diagnostic capabilities that enable customers to gather detailed runtime information and perform efficient data analysis, improved performance and efficiencies for Java on ARM servers, and support for Mac OS X retina displays.

The software giant also said that Oracle Java Mission Control and Oracle Java Flight Recorder are now available as commercial features in the Oracle Java SE Advanced offering.

Oracle Java Mission Control and Oracle Java Flight Recorder continuously collect detailed runtime information, with little overheard, from the JVM and other event producers, such as application servers, Oracle explained.

Customers can use the graphical tools for profiling and after-the-fact incident analysis to understand and resolve issues and for monitoring and fulfilling service level agreements (SLAs).

With expanded support for Apple hardware, Java will now recognize Mac OS X retina displays and automatically generate higher resolution graphics.

“With JDK 7 Update 40 Oracle and the Java community are delivering features and enhancements to the Java platform that provide advanced monitoring and analysis of Java application data, which will help enterprise customers more rapidly analyze, understand and resolve issues; greater security and control over end user Java environments for system administrators; increased efficiency and responsiveness of Java applications running on ARM servers and an overall improved user experience for both developers and end users,” said Georges Saab, vice president of Java SE development, Oracle.

Early this year, Oracle acknowledged the security concerns surrounding Java. In a public acknowledgement of these concerns in January, Oracle’s Milton Smith, head of Java security, held a conference call where he promised increased efforts to communicate with the Java community about security, but agreed that talking about it would not be enough.

“No amount of talking or smoothing over is going to make anybody happy or do anything for us,” Smith said at the time. “We have to fix Java.”

Oracle will highlight the latest Java technology updates at its JavaOne conference taking place in San Francisco from September 22-26.

Related: The Unique Challenges of Controlling Java Exploits

RelatedUnpatched Java Versions Remain Widely Used: Report

Related: Oracle Talks Java Security, Pledges More Outreach

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.