Oracle has released a new version of the Java Development Kit which includes a number of security improvements. The major change in JDK 7u10 is the ability to prevent any Java application from running in the browser, a big shift for the Java environment, which is a constant target of attacks.
The new release of Java also includes some additional security enhancements, most notably a feature that enables developers to set a specific level of security for any unsigned Java applets. Java applications and Java itself have become high-priority targets for attackers in the last couple of years, and a number of significant attacks have focused on Java bugs recently. In August, researchers identified a group from China known as the Nitro crew as one of the groups that was using a pair of Java zero-day vulnerabilities in targeted attacks.
Exploits for Java bugs often are added to the major exploit kits such as Black Hole, Eleonore and the Cool exploit kit. Attackers favor Java as a target for a number of reasons, but the key attraction for them is Java’s enormous installed base. Java sits on hundreds of millions of machines worldwide, and a good percentage of those installations are older, out-of-date versions that include vulnerabilities that are easy pickings for attackers.
Oracle’s decision to give people the ability to disable Java applications from running in the browser could be an important step in helping to prevent some of the widespread Java attacks.
“This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument,” Oracle said in the release notes for Java SE Development Kit 7u10.
Oracle also included a new feature that enables developers to set the security level of unsigned applets, another important change in the security of Java applications.
“The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument,” Oracle said.
One additional security feature in the new Java release is a dialogue that will warn you when the Java Runtime Environment is out of date or below the security baseline.