With Java 7 Update 21, Oracle has made available a patch release that can be regarded as important. The release includes 42 patches that fix security issues; Oracle says that 39 of these issues potentially allow attackers to take control of computers without authentication. In view of the numerous recent attacks on the Java platform, Oracle recommends that users install the new update as soon as possible. Nineteen of the security holes that have been fixed with the new update are explicitly rated at the highest Common Vulnerability Scoring System (CVSS) level of 10; many other flaws would be equally critical, but are rated lower by Oracle because they are more complex to access and exploit.
The update advisory lists the vulnerabilities and the pattern is familiar to anyone who has looked at the most recent set of updates’ advisories. The list of flaws includes 7 critical flaws in the 2D graphics system, with other flaws spread throughout the various subcomponents of Java. Oracle also unexpectedly released an update for Java 6, Java 6 Update 45, which addresses a subset of applicable vulnerabilities in the older Java release; Java 6 had been expected to be end-of-lifed for security updates, but Oracle does appear to be keeping going with updates for Java 6 while trying to clear the current onslaught of security vulnerabilities.
Oracle’s applet security story has also been tightened up with even more restrictions on what applets can run. With Java 7 Update 17, Oracle added a simple slider control for setting the security level of unsigned applets in the Java Control Panel; it allowed users to chose a low, medium, high, or very high risk setting. The company’s latest update refines this approach. In early 2013, Oracle announced that it would modify the way the browser plugin handles unsigned and self-signed code.
Now, the “low-risk” level is no longer available, which means that unsigned and self-signed applets can no longer be executed without triggering a prior user warning. The browser plugin will only start the Java Virtual Machine and execute an application once users have confirmed that they really do want to execute Java content. Developers who deliver Java applets to customers will need to look at getting the applets signed with a valid CA issued certificate.
Dangerous defaults let certificates stay unchecked. The warnings for Java applets now come in two types: an applet that has a valid certificate generates a warning dialog with the Java logo in it and details of the applet’s certificate, but an applet that is signed with an invalid certificate, is unsigned or self-signed, will generate a warning with a yellow shield and warning triangle which is designed to recommend that the applet should not be run. There is a problem though with the certificate checking; as The H reported in March, criminals were using revoked certificates as part of their attacks and the Java runtime was doing nothing to check the validity of certificates. On the latest update of Java, this has not changed either; online validation and revocation checks are still off by default.
To remain safe, The H continues to advise users to disable Java in the browser; this can be done on Windows through the Java control panel by selecting “Disable Java content in the browser” under the Security tab. If Java is occasionally needed, users should at least activate the click-to-play functionality in browsers such as Firefox and Chrome.
The updated editions of Java, JDK and JRE, are available from the Java SE Downloads page.