Connect with us

Hi, what are you looking for?



Oracle Adds Security in Java Update

Oracle has moved to enhance security in an updated version of the Java Development Kit.

Oracle has moved to enhance security in an updated version of the Java Development Kit.

Among the new features is the ability to disable any Java application from running in the browser. The move, explained Qualys CTO Wolfgang Kandek, allows users with Java installed to run native, local Java applications to disable an attack vector that has been used so much by attackers in the last 12 months.

The update also allows control over the execution of unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. Four levels of security are supported, and the feature can be set in the Java Control Panel or using a command-line install argument. New dialogs also warn when the Java Runtime Environment (JRE) is insecure and needs to be updated.

According to HD Moore, chief security officer at Rapid7, 65 percent of Java users are never on the current version.

Advertisement. Scroll to continue reading.

“For much of 2011 and 2012, being just one version down from the latest would leave your system vulnerable to attack,” he said.

“The ‘best before’ check in Java 7u10 should improve patch uptake going forward, but given how slow this is today, it will take several months before most Java users are using this version,” he continued. “The security panel in 7u10 still defaults to ‘Medium’, which allows untrusted applets to run without user confirmation. Enterprises should strongly consider setting this to ‘High’ instead. This requires user confirmation before running any untrusted applet, adding one more layer of defense between a new sandbox escape exploit and an attacker gaining access to the internal network.”

The ‘Very High’ setting prevents unsigned applets from running at all unless the latest version is installed, he added.

When possible, Java should be limited to users with a legitimate business need, opined Moore.

“The security level features provided in the latest Java update can help users defend themselves, but should not be considered a substitute to removing Java wherever possible,” he said. “The Australian DSD-35  still lists outdated applications, including Java, as the #2 threat that enables targeted intrusions.”

Getting users on the latest version of Java is the biggest challenge around Java security, Kandek said.

“Java v6 will expire in February 2013, which will be the opportunity to convince users of this legacy version to switch to the newest Java v7,” he said. “Any tool that helps an IT administrator in that process would be helpful.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.