Java 7 update 10 introduces important new security controls

Filed Under: Featured, Java, Oracle, Security threats

Oracle only patches Java for security vulnerabilities three (?) times a year, but that doesn't mean it doesn't release other bug fix and feature releases of the nearly ubiquitous runtime environment.

Last week Oracle shipped Java 7 update 10 (Java 7u10), the latest in the Java 7 series, which includes new security controls in addition to a bug fix and updated timezone data.

What are these new controls?

Java control panelThe first one, my favourite, allows you to disable the Java web plugin by unchecking a single tick-box. After installing Java 7u10 you can open the Java control panel and uncheck the option "Enable Java content in the browser".

For users who have Java-based applications (like me!) disabling the web plugin eliminates most of the risk associated with having Java installed.

Java will also now check to see if it is at the latest security "baseline". What does that mean? Well, it means the latest Java version that was released with fixes for known vulnerabilities, which as of this posting is Java 7u9.

Oracle states:

If the JRE is deemed expired or insecure, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to java.com to download the latest release.

In my opinion that is a bit of a security fail. Don't allow users to choose options that will knowingly place them in harms way. As security professionals we have to stop expecting users to make important security decisions (browser certificate warnings anyone?).

Java 7u10 also introduces the concept of security levels. The default level is Medium which allows untrusted apps to run if your Java is patched, but will only allow signed applications to run if you are out of date.

This is a terrible default. In my opinion you should never run Java applications without notification and certainly should not run unsigned applications.

Even signed applications might not be safe if your Java is vulnerable. Fortunately there is a custom option that allows you to fine tune this behaviour.

Java control panel customize settingsYou can control whether to Run without prompt, Prompt user or Don't run for three different situations.

I prefer to disable Java in your browser entirely, but if you can't then I recommend Don't run for untrusted applications whether your Java is up to date or not.

For local applets the prompt user setting will alert you to the fact that something that uses Java is trying to run and provide an opportunity to block it if you aren't intentionally executing Java code.

I think it is great that Oracle is making Java more configurable and perhaps they will further strengthen the default settings in a future release. I recommend everyone update and choose the settings most appropriate for their environment.

System administrators should pay special attention to Oracle's release notes as there are command line options for Windows deployments to control these new settings. It would behoove you to lock them down as tightly as you dare.

, , ,

You might like

25 Responses to Java 7 update 10 introduces important new security controls

  1. AMCarter3 · 587 days ago

    I run Java on my Apple MacBook Pro because I want to run at least one web-based streaming program that uses Java. I am concerned about security. However, I did not see the option in the Java prefs you described as "Don't run" for untrusted applications whether your Java is up to date or not. Does it exist in the Apple OS X version of Java 7u10? Where is it?

  2. Cheryl · 587 days ago

    The Custom settings button is grayed out for me with Win 7. any ideas???

    • Deramin · 586 days ago

      Move the arrow to the bottom of the slider bad, next to the Custom level. Then the Settings button should become active. At least, that's how it's supposed to work.

  3. petal · 586 days ago

    Can't say for other OS, but on my XP machine the new settings didn't display in the Java Control Panel - to resolve, I removed all old versions of Java and reinstalled u10. The new options were then available.

    • myklj · 564 days ago

      I had the same issue on my XP machine. I just deleted the older versions and left the latest u10 update and the options showed up in the control panel. Thanks for the tip !

  4. GSteve · 586 days ago

    I installed the 7u10 update using java's control panel update button, and after the update Java is not listed in the control panel (although the installer reported the installation was successful). Running a Home Built AMD Dual-core based machine with Windows XP Pro SP3. What do I do now?

    • Spryte · 563 days ago

      I had the same issue... reboot solved the issue.

      More than just "restart your browser" as Oracle suggests.

      Good Luck

  5. roy jones jr · 585 days ago

    Wait, Oracle only does serious work on a high maintenance software 3 times in a year? Well they do say its "free to download".

  6. Cher · 581 days ago

    I have apps and sometimes encounter apps that wont run unless Java is installed, so even though I remove it at times I am forced to reinstall if I need to run or view whatever it may be.
    I am willing to try the new ver and thanks so much for offering this. Have you all uninstalled your Java s/w before installing this? I have an xp pro, a vista Ultimate 64 bit and vista 32 Home Premium OS.

  7. Phil · 563 days ago

    I have Java 7 update 10 on my Windows Vista. When I open programs in Control Panel and click on Java 7 update 10 I do not have a Change option. I can only uninstall. I prefer to disable but I do not know how or are unable to see or get a Java Control Panel to open. Is the only way to protect my machine uninstall?

    • Spryte · 563 days ago

      It sounds like you are looking in the "Add Remove Programs" dialog.

      Java should have its own icon (coffee cup) in the Control Panel.

      If you cannot see it, as happened to me, close all applications and reboot.

      That allowed me to see the Java icon and configure it.

      Good Luck

      • Colin S · 562 days ago

        I installed Java 7u10 just recently and noticed when i open up my control panel and then open up 'programs and features' i have Java now stored in there instead of having to see it in my programs and i actually thought i had done something wrong as i had never noticed java in there before.

  8. Linda Hoffman · 563 days ago

    How do I get to the Java control panel?

  9. john brand · 563 days ago

    You folks really don't have a clue how confusing your instructions are for most users. Not a clue.

  10. Mary · 563 days ago

    Really,....what? Everything I do on my computer shows Javascript is loading it....now, what happens if I disable it, that is if I can figure out how to disable it....to what an easier to hack what?

    • Steve · 563 days ago

      Javascript and Java are two completely different things with a similar name. Disabling Java will not affect Javascript in any way.

  11. Lou Gastuch · 562 days ago

    1/13/13, 14:52 CDT --
    I just checked on my Win7 desktop -- and after the most recent update, Java reports Java7u11.

    HOWEVER, I can locate nothing (so far) which details what the release date of update 11 is, nor what the update addresses.

    Can someone enlighten me?
    Specifically, does this mitigate the current vulnerabilities?

    Thanks!

  12. mynameisse · 562 days ago

    How do you disable java, thru add/remove or at Java ? Should remove/disable all Java apps or just Java 7 update 6? How do you get the update Java u10?

  13. Cornwallis · 559 days ago

    I have a new Windows 7 machine, and I cannot find the Java Control Panel. If I do a Control Panel Search, I can find Java within several programs that I know need Java to run, but I cannot find Java outside of those programs. I can find Java Script. Does this mean that I do not have Java except for within the programs that need Java?

  14. Shawna · 559 days ago

    I tried to open Java up(in the control panel) and it will not open. I have tried many many times. I cant change the settings if it wont open. Does that mean that I have been affected?I dont know if it is Java causing my problems but my computer has been acting wacky for 2 days.

  15. Chester Wisniewski · 550 days ago

    If you don't need Java, remove it. If you continue to require it then you should always keep it up to date.

  16. Gloria Latta · 186 days ago

    How can I enable Java in one browser and disable it in a different browser when the Control Panel Java settings apply to the computer universally? Doesn't the browser that's enabled endanger the entire computer?

    • Paul Ducklin · 185 days ago

      Yes, it does..but the theory is that if you have Java turned on on one brower you use occasionally and cautiously but turned off in a second browser you use for most of your work, that's nevertheless better than having Java on at all times and in all places.

  17. Eric · 120 days ago

    I'mtrying to run a document viewer that uses java RRViewer and it keeps reporting that 'rrviewer disabled by security settings' I have add the websites as extensions to the security tab in java control panel no luck. I added three websites (parent website and two sites linking to the document). I even tried reducing to medium security level no luck. any ideas anyone?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.