Java 7 Update 11 Released to Address Security Issues
On Sunday, Oracle released Java 7 Update 11 in order to address the recent security issues that had lead Mozilla to add recent versions of Java to it's add-on blocklist. With the latest update in place, you should be able to re-enable Java in your browser with peace of mind.
However, according this latest article on Reuters, there may still be further security flaws:
Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.
"We don't dare to tell users that it's safe to enable Java again," said Gowdia
In case you missed the news, the 0-day exploit allows attackers to run arbitrary code on client systems through malicious web pages. The thing is that this exploit wouldn't have worked if Oracle had issued a complete fix for a insecure implementation of the Reflection API.
Let's assume that's all in the past now - what was changed in this latest update? Mainly the default security level has been changed to high, from medium, for all applets and webstart applications. This means the user is always warned before any unsigned application is run.
One thing: if you have the standalone version JavaFX 2.x installed, you'll have issues seing the security level slider in Control Panel. To get around this just uninstall the standalone version.
This whole issue has people a bit spooked about Java in their browser. Will you go ahead and re-enable Java on your web browser? Or are you going to take the ultra-cautious approach, and wait until security analyists say that all is well with Java?
Comments
Greg Brown replied on Mon, 2013/01/14 - 8:18am
I'm leaving it disabled. I don't actively use any web site/app that requires it.
Peter Hansson replied on Tue, 2013/01/15 - 10:37am
It seems there are many 'security experts' that would have us think that this is an either/or question. The only recommendation they seem be able to come up with is: 'turn it all off'.
Of course if you never actually need Java in the browser then the choice is simple. But in corporate land that is very, very rare, that you wouldn't need Java in the browser.
There are quite a few options available that prevents the browser from executing any Java code unless you explicitly approve it. Some solutions (like the one now introduced by Oracle as of v7 Update 11) will prompt you every time. If you don't trust the site, you simply answer 'no'. I understand that a similar solution has always existed in Chrome.
Firefox users can benefit from the excellent NoScript extension. This has lots of configuration options but basically can work on the basis of whitelists that you control. Everytime you visit a page that requires Java (or Flash, or .Net .. or...) you will be asked what you want to do: Add to whitelist, enable for this time only or reject.
I'm sure this was just a small sample of the solutions that exist.
We simply have to accept that any code that is doing more than just page rendering can be potentially unsafe. We have to find new ways of dealing with these threats rather than just saying "turn it all off" or "uninstall completely". I wish the 'security experts' where better informed as to what options are really available. I'm not, but I do not claim to be an expert.