Java 7 Update 10 allows users to restrict the use of Java in browsers

Java users can now block Web-based Java content completely or enforce strict restrictions for it

A recent Java 7 update allows users to completely prevent Java applications from running inside browsers or to restrict how Web-based Java content is handled by the Java Runtime Environment (JRE) client. These features will benefit security-conscious users, but companies still have to find methods of isolating older Java versions, security experts say.

Java 7 Update 10 (7u10), released on Dec. 11, does not address any security vulnerabilities, but provides several security enhancements. According to its release notes, the new version provides users with "the ability to disable any Java application from running in the browser." This can be done from the "Security" tab on the Java control panel by clearing the "enable Java content in the browser" checkbox.

Security experts have long advised users to remove the Java plug-in from their Web browsers in order to protect themselves from the increasingly prevalent Web-based attacks that exploit Java vulnerabilities to infect computers with malware. However, in order to follow this advice users had to remove the plug-in from all of their browsers one by one and were often forced to redo the process after installing new Java updates.

Java 7u10 seems to make things easier by providing users with a central and persistent option for controlling Web-based Java content regardless of how many browsers they use. In addition, the new Java version provides users who can't afford to completely block such content with a method of controlling how potentially dangerous applets are handled.

Starting with Java 7u10 users have to ability to set security levels from low to very high for Web-based Java content, with medium being the default option. The medium security level will allow unsigned Java apps to run, but only if the Java version is considered secure. "You will be prompted if an unsigned app requests to run on an old version of Java," Oracle said in the tech notes for the new control panel security options.

Setting the security level to very high will prompt the user for permission every time a Java app, signed or unsigned, attempts to run in the browser. If the Java version is deemed insecure, unsigned apps won't run at all, regardless of what the user decides.

"The Security Level setting affects unsigned plug-in applets, Java Web Start applications, embedded JavaFX applications, and access to the native deployment toolkit plugins," Oracle said.

In addition, Java 7u10 introduces new dialogs that warn users when the installed JRE version is insecure and needs to be updated.

These changes don't make Java more secure in itself, but will likely make it easier for users to make their PCs more secure because they allow users to manage certain restrictions, Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia, said Tuesday via email. However, in order for the majority of users to be protected, Oracle needs to set the new options in a restrictive way by default, because most users won't understand or know about the new restrictions, he said.

"The dialog warning about old and insecure versions is a big step in the right direction," Kristensen said. "Hopefully, it will make users think twice before running code on old Java versions."

Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, said that every step Oracle takes in safeguarding the end user is welcome, but agreed with Kristensen that most users will probably not use the new features because they don't understand them and because they're unwilling to update their software in general. Because of Java's large install base -- over 3 billion devices -- cybercriminals are unlikely to stop targeting it, he said via email.

In fact, the new dialogs warning about the use of insecure JRE versions might end up being used against users in social engineering scams in a similar way in which rogue Flash Player update notifications were used to distribute malware, Botezatu said.

"In corporate environments, this Java update may not immediately show its benefits, especially for companies who have developed in-house applications relying on Java and are unable to update for compatibility issues," Botezatu said. "Despite the fact that Java editions are usually backwards compatible with applications already built, the massive improvements in Java 7 may be insufficiently tested in production for corporations to take the risk of mass deployment in live environments."

"Companies with a need for old Java must find ways to virtualize or otherwise isolate old Java instances," Kristensen said. "It may be costly in terms of convenience and perhaps efficiency to isolate or virtualize old Java for use with non-modern enterprise applications, but the risk of surfing the web with an old version of Java can not justify convenience and small savings."

"If these Java settings are manageable via GPO (Group Policy) or similar centralized management tools, then it is likely to improve security for companies who only run the latest version, or have successfully isolated old versions," Kristensen said.

However, not everyone agrees that companies should migrate to Java 7. Adam Gowdiak, the founder of Security Explorations, a Polish security company with a strong focus on Java vulnerability research, believes that from the prospect of vulnerabilities being found in the code, migrating to Java 7 represents a higher risk than continuing to use Java 6.

"Our research proved that Java 7 was far more insecure that its predecessor version," Gowdiak said via email. "There were also many indications that certain new features introduced into Java 7 such as the new Reflection API didn't run through any security review."

"We are not surprised that corporations are resistant when it comes to the upgrade to Java 7," Gowdiak said. "The number of security bugs we found in Java 7 speaks for itself."

Because of this, Oracle should extend the public support period for Java 6, he said.

According to Oracle's support roadmap for Java, the company will stop issuing public updates for Java 6 after February 2013. Companies interested in receiving Java 6 security advisories, patches and bug fixes, after that date will have to sign up for a commercial extended support service.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetysecuniasecuritySecurity ExplorationsDesktop securityOraclebitdefender

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place