Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Adds Security in Java Update

Oracle has moved to enhance security in an updated version of the Java Development Kit.

Oracle has moved to enhance security in an updated version of the Java Development Kit.

Among the new features is the ability to disable any Java application from running in the browser. The move, explained Qualys CTO Wolfgang Kandek, allows users with Java installed to run native, local Java applications to disable an attack vector that has been used so much by attackers in the last 12 months.

The update also allows control over the execution of unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. Four levels of security are supported, and the feature can be set in the Java Control Panel or using a command-line install argument. New dialogs also warn when the Java Runtime Environment (JRE) is insecure and needs to be updated.

According to HD Moore, chief security officer at Rapid7, 65 percent of Java users are never on the current version.

Advertisement. Scroll to continue reading.

“For much of 2011 and 2012, being just one version down from the latest would leave your system vulnerable to attack,” he said.

“The ‘best before’ check in Java 7u10 should improve patch uptake going forward, but given how slow this is today, it will take several months before most Java users are using this version,” he continued. “The security panel in 7u10 still defaults to ‘Medium’, which allows untrusted applets to run without user confirmation. Enterprises should strongly consider setting this to ‘High’ instead. This requires user confirmation before running any untrusted applet, adding one more layer of defense between a new sandbox escape exploit and an attacker gaining access to the internal network.”

The ‘Very High’ setting prevents unsigned applets from running at all unless the latest version is installed, he added.

When possible, Java should be limited to users with a legitimate business need, opined Moore.

“The security level features provided in the latest Java update can help users defend themselves, but should not be considered a substitute to removing Java wherever possible,” he said. “The Australian DSD-35  still lists outdated applications, including Java, as the #2 threat that enables targeted intrusions.”

Getting users on the latest version of Java is the biggest challenge around Java security, Kandek said.

“Java v6 will expire in February 2013, which will be the opportunity to convince users of this legacy version to switch to the newest Java v7,” he said. “Any tool that helps an IT administrator in that process would be helpful.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.