Oracle has moved to enhance security in an updated version of the Java Development Kit.
Among the new features is the ability to disable any Java application from running in the browser. The move, explained Qualys CTO Wolfgang Kandek, allows users with Java installed to run native, local Java applications to disable an attack vector that has been used so much by attackers in the last 12 months.
The update also allows control over the execution of unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. Four levels of security are supported, and the feature can be set in the Java Control Panel or using a command-line install argument. New dialogs also warn when the Java Runtime Environment (JRE) is insecure and needs to be updated.
According to HD Moore, chief security officer at Rapid7, 65 percent of Java users are never on the current version.
“For much of 2011 and 2012, being just one version down from the latest would leave your system vulnerable to attack,” he said.
“The ‘best before’ check in Java 7u10 should improve patch uptake going forward, but given how slow this is today, it will take several months before most Java users are using this version,” he continued. “The security panel in 7u10 still defaults to ‘Medium’, which allows untrusted applets to run without user confirmation. Enterprises should strongly consider setting this to ‘High’ instead. This requires user confirmation before running any untrusted applet, adding one more layer of defense between a new sandbox escape exploit and an attacker gaining access to the internal network.”
The ‘Very High’ setting prevents unsigned applets from running at all unless the latest version is installed, he added.
When possible, Java should be limited to users with a legitimate business need, opined Moore.
“The security level features provided in the latest Java update can help users defend themselves, but should not be considered a substitute to removing Java wherever possible,” he said. “The Australian DSD-35 still lists outdated applications, including Java, as the #2 threat that enables targeted intrusions.”
Getting users on the latest version of Java is the biggest challenge around Java security, Kandek said.
“Java v6 will expire in February 2013, which will be the opportunity to convince users of this legacy version to switch to the newest Java v7,” he said. “Any tool that helps an IT administrator in that process would be helpful.
