Oracle issues new Java version, with security enhancements

The new version most notably offers the ability to block all Java applications from running in the browser, and also now provides levels of security for applets and notifications when Java falls out of date.

The capability within the new JDK 7u10 is meant to thwart Java zero-day exploits, which have become more frequent of late now that vulnerabilities are common parts of exploit kits such as BlackHole, Eleonore and Cool. The kits bank on Java’s immense Internet Explorer install base – much of which has out-of-date versions installed. 

"This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument," Oracle said in the release notes for Java SE Development Kit 7u10.

The update also allows developers to set a specific level of security for any unsigned Java applets. "The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser,” Oracle said. “Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.”

Those security levels range from low to very high for web-based Java content, with a default setting of medium. The very high setting will prompt the user for permission every time a signed or unsigned Java app wants to run in the browser. If the environment is found to be insecure (i.e., older and unpatched), then unsigned apps won't run at all.

The default medium security level meanwhile will allow unsigned Java apps to run automatically in updated environments, but will issue an alert if the Java version is not considered secure. "You will be prompted if an unsigned app requests to run on an old version of Java," Oracle said.

The Security Level setting affects unsigned plug-in applets, Java Web Start applications, embedded JavaFX applications and access to the native deployment toolkit plugins, Oracle said.

And finally, a dialogue box now warns users when the Java Runtime Environment is out of date or below the security baseline.

What’s Hot on Infosecurity Magazine?