CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Adds Security in Java Update

Oracle has moved to enhance security in an updated version of the Java Development Kit.

Oracle has moved to enhance security in an updated version of the Java Development Kit.

Among the new features is the ability to disable any Java application from running in the browser. The move, explained Qualys CTO Wolfgang Kandek, allows users with Java installed to run native, local Java applications to disable an attack vector that has been used so much by attackers in the last 12 months.

The update also allows control over the execution of unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. Four levels of security are supported, and the feature can be set in the Java Control Panel or using a command-line install argument. New dialogs also warn when the Java Runtime Environment (JRE) is insecure and needs to be updated.

According to HD Moore, chief security officer at Rapid7, 65 percent of Java users are never on the current version.

Advertisement. Scroll to continue reading.

“For much of 2011 and 2012, being just one version down from the latest would leave your system vulnerable to attack,” he said.

“The ‘best before’ check in Java 7u10 should improve patch uptake going forward, but given how slow this is today, it will take several months before most Java users are using this version,” he continued. “The security panel in 7u10 still defaults to ‘Medium’, which allows untrusted applets to run without user confirmation. Enterprises should strongly consider setting this to ‘High’ instead. This requires user confirmation before running any untrusted applet, adding one more layer of defense between a new sandbox escape exploit and an attacker gaining access to the internal network.”

The ‘Very High’ setting prevents unsigned applets from running at all unless the latest version is installed, he added.

When possible, Java should be limited to users with a legitimate business need, opined Moore.

“The security level features provided in the latest Java update can help users defend themselves, but should not be considered a substitute to removing Java wherever possible,” he said. “The Australian DSD-35  still lists outdated applications, including Java, as the #2 threat that enables targeted intrusions.”

Getting users on the latest version of Java is the biggest challenge around Java security, Kandek said.

“Java v6 will expire in February 2013, which will be the opportunity to convince users of this legacy version to switch to the newest Java v7,” he said. “Any tool that helps an IT administrator in that process would be helpful.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.