The latest Java update released Tuesday includes new prompts warning users of potentially malicious applets, in addition to patches for 42 vulnerabilities, all but three of which are remotely exploitable.
Java 7 update 21 is part of Oracle’s scheduled Critical Patch Updates for the program and browser plug-in. Zero-day vulnerabilities discovered and exploited throughout the first two months of the year, however, forced almost monthly alerts and updates leading up to this week’s release.
Oracle recommends that users upgrade to the latest version of Java immediately citing a number of attacks in the wild targeting vulnerabilities that had not been patched until this week. A number of security experts, meanwhile, continue their calls to disable Java altogether, though many concede that this may be an issue for enterprises with home-grown applications that rely on Java.
Java 7u21 affects Java 7u17 and earlier, Java 6u43 and earlier and Java 5u41 and earlier, Oracle said. The company also added additional code-signing and warnings to users that an applet could be malicious. In a previous version, Oracle changed the default security setting from medium to high, a move meant to prevent unsigned Java Web applications from executing automatically. Users were warned before unsigned applets run, denying silent exploitation of a vulnerability, Oracle said.
Attackers, however, quickly found a way around the setting changes. Researchers discovered exploits in some of the popular exploit kits that not only spoofed the dialog box presented by Oracle to users for trusted applets but used a certificate signed with a stolen private key that had been revoked by certificate authority GoDaddy months before the attack was discovered.
In this week’s updates, applications using Java applets or Java Web Start that execute at runtime on the browser, for example, are required to sign code with a trusted certificate, Oracle said. All Java code will prompt the user, the Oracle advisory said.
“The type of dialog messages presented depends upon risk factors like, code signed or unsigned, code requesting elevated privileges, JRE is above or below the security baseline, etc.,” Oracle said. “Low risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk.”
Oracle also removed the low security settings in the Java Control Panel; users will no longer be able to opt out of the security features built into Java.
“The platform will not deny the execution of Java applications, however in high-risk scenarios the user is provided an opportunity to abort execution if they choose,” Oracle said. “Future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications.”
New user prompts from Oracle are color-coded with a blue information shield representing an application signed by a trusted certificate, while a yellow shield or triangle indicates either an untrusted or expired certificate. Red text accompanies such warnings in the dialog box telling the user that running the application in question could be a security risk.