Java 7 update 10 introduces important new security controls

Oracle only patches Java for security vulnerabilities three (?) times a year, but that doesn’t mean it doesn’t release other bug fix and feature releases of the nearly ubiquitous runtime environment.

Last week Oracle shipped Java 7 update 10 (Java 7u10), the latest in the Java 7 series, which includes new security controls in addition to a bug fix and updated timezone data.

What are these new controls?

Java control panelThe first one, my favourite, allows you to disable the Java web plugin by unchecking a single tick-box. After installing Java 7u10 you can open the Java control panel and uncheck the option “Enable Java content in the browser”.

For users who have Java-based applications (like me!) disabling the web plugin eliminates most of the risk associated with having Java installed.

Java will also now check to see if it is at the latest security “baseline”. What does that mean? Well, it means the latest Java version that was released with fixes for known vulnerabilities, which as of this posting is Java 7u9.

Oracle states:

If the JRE is deemed expired or insecure, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to to download the latest release.

In my opinion that is a bit of a security fail. Don’t allow users to choose options that will knowingly place them in harms way. As security professionals we have to stop expecting users to make important security decisions (browser certificate warnings anyone?).

Java 7u10 also introduces the concept of security levels. The default level is Medium which allows untrusted apps to run if your Java is patched, but will only allow signed applications to run if you are out of date.

This is a terrible default. In my opinion you should never run Java applications without notification and certainly should not run unsigned applications.

Even signed applications might not be safe if your Java is vulnerable. Fortunately there is a custom option that allows you to fine tune this behaviour.

Java control panel customize settingsYou can control whether to Run without prompt, Prompt user or Don’t run for three different situations.

I prefer to disable Java in your browser entirely, but if you can’t then I recommend Don’t run for untrusted applications whether your Java is up to date or not.

For local applets the prompt user setting will alert you to the fact that something that uses Java is trying to run and provide an opportunity to block it if you aren’t intentionally executing Java code.

I think it is great that Oracle is making Java more configurable and perhaps they will further strengthen the default settings in a future release. I recommend everyone update and choose the settings most appropriate for their environment.

System administrators should pay special attention to Oracle’s release notes as there are command line options for Windows deployments to control these new settings. It would behoove you to lock them down as tightly as you dare.