I've been a zone leader with DZone since 2008, and I'm crazy about community. Every day I get to work with the best that JavaScript, HTML5, Android and iOS has to offer, creating apps that truly make at difference, as principal front-end architect at Avego. James is a DZone Zone Leader and has posted 639 posts at DZone. You can read more from them at their website. View Full User Profile

Java 7 Update 11 Released to Address Security Issues

  • submit to reddit

On Sunday, Oracle released Java 7 Update 11 in order to address the recent security issues that had lead Mozilla to add recent versions of Java to it's add-on blocklist.  With the latest update in place, you should be able to re-enable Java in your browser with peace of mind. 

However, according this latest article on Reuters, there may still be further security flaws:

Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws.

"We don't dare to tell users that it's safe to enable Java again," said Gowdia

In case you missed the news, the 0-day  exploit allows attackers to run arbitrary code on client systems through malicious web pages. The thing is that this exploit wouldn't have worked if Oracle had issued a complete fix for a insecure implementation of the Reflection API.

Let's assume that's all in the past now - what was changed in this latest update? Mainly the default security level has been changed to high, from medium, for all applets and webstart applications. This means the user is always warned before any unsigned application is run. 

One thing: if you have the standalone version JavaFX 2.x installed, you'll have issues seing the security level slider in Control Panel. To get around this just uninstall the standalone version.

This whole issue has people a bit spooked about Java in their browser. Will you go ahead and re-enable Java on your web browser? Or are you going to take the ultra-cautious approach, and wait until security analyists say that all is well with Java?



Greg Brown replied on Mon, 2013/01/14 - 8:18am

I'm leaving it disabled. I don't actively use any web site/app that requires it.


Peter Hansson replied on Tue, 2013/01/15 - 10:37am

It seems there are many 'security experts' that would have us think that this is an either/or question. The only recommendation they seem be able to come up with is: 'turn it all off'.

Of course if you never actually need Java in the browser then the choice is simple. But in corporate land that is very, very rare, that you wouldn't need Java in the browser.

There are quite a few options available that prevents the browser from executing any Java code unless you explicitly approve it. Some solutions (like the one now introduced by Oracle as of v7 Update 11) will prompt you every time. If you don't trust the site, you simply answer 'no'. I understand that a similar solution has always existed in Chrome.

Firefox users can benefit from the excellent NoScript extension. This has lots of configuration options but basically can work on the basis of whitelists that you control. Everytime you visit a page that requires Java (or Flash, or .Net .. or...) you will be asked what you want to do:  Add to whitelist, enable for this time only or reject.

I'm sure this was just a small sample of the solutions that exist.

We simply have to accept that any code that is doing more than just page rendering can be potentially unsafe. We have to find new ways of dealing with these threats rather than just saying "turn it all off" or "uninstall completely". I wish the 'security experts' where better informed as to what options are really available. I'm not, but I do not claim to be an expert.

Baimao Wong replied on Thu, 2013/01/17 - 3:23am

it seems to be good for my website http://www.bagsshoeswallets.com

Roger Ball replied on Wed, 2013/01/23 - 3:15pm

 With Respect to: "Adam Gowdiak, a researcher with Poland's Security Explorations who has discovered several bugs in the software over the past year, said that the update from Oracle leaves unfixed several critical security flaws."

Where can I find a deep dive technical discussion of all these bugs?

Alina Lili replied on Mon, 2013/07/29 - 12:31am

I'm sure this was just a small sample of the solutions that exist. same with my webwww.buyluxurieseasy.com/ 

Spotlight Saif replied on Sun, 2013/08/11 - 4:08am

This internet site is my intake , real good layout and perfect subject material..  wallpapers 

David Green replied on Wed, 2013/09/11 - 12:20am

thanks for your article, re-enable Java in my browser seems a good solution of the site http://www.buythetop.com/ problem that i have  met, thanks

Qiang Di Pa replied on Sat, 2013/11/16 - 3:34am

sophisticated disunites, epicurean caftans exquisite cocktail frocks. Wall Street psychoanalysts existed asking retail to outpace gross revenues as electric charges related to http://goldbags.co.uk these certificates in any primal inquiry analysis. The content would be out my reach but I do. You can find everything you need to control stick to definitive facial expressions to be simple available to the men to wear.

Maggie Brown replied on Wed, 2014/01/22 - 10:43am

You never know when the hackers will have the chance to infiltrate the program again, that's why I think it's always better to have additional security software on your computer to keep your data safe while surfing the internet. I got mine on http://www.trendmicro.com/us/enterprise/data-protection/index.html and I always know that my operating system is protected no matter what.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.