Oracle's latest Java update addresses security vulnerabilities

2012-12-24

The recent network attacks targeted towards the Java 7 users have kept Oracle under a stressful situation to come up with a security patch as quickly as possible. Java 7 users were concerned about this security vulnerability, since Oracle will release security patches only thrice a year. To the end user’s joy, Oracle, with its latest release of Java 7 update 10, has come up with an added functionality that lets the users to configure the desired level of security, using the Java control panel. Although this update might not have completely eliminated the security vulnerability, it offers a better control to the users to decide what kind of applications or websites should run their Java runtime environment.

Functionalities in Java 7 update 10

Java Web plug-in:

Most of the Security attacks exploited the Java web browser plug-in that gets installed as a part of Java 7 installation. To address this risk, Java 7 update 10 has offered an additional control, which allows the user to enable or disable Java web plug-in by selecting or deselecting the corresponding check box in the Java control panel. In order to do this, go to the Java control panel and under the security tab, you will find an option which says “Enable Java content in the browser”, which can be selected or deselected.

Note:

For windows users, after enabling Java content in the browser, go to the advanced tab and select the option which says “Enable the next generation Java plug-in”, to make sure that you have enabled the latest version of Java plug-in.

Level of security:

In the Java control panel, under the security tab, Oracle has provided an option to set the following 4 levels of security.

  • Very High: If any app tries to run Java in the browser, the user will be prompted. If the Java version is insecure, only signed apps will run and unsigned apps will not run.
  • High: If an unsigned app tries to use the Java plug-in, user will be prompted.
  • Medium: If the user’s Java version is secure, unsigned apps will run. Otherwise, the user will be prompted.
  • Low: Unsigned apps will run, unless they access an older version of Java plug-in.

Although the ability to configure the level of security is a good thing, Oracle has set the default level of security as medium, which doesn’t make sense. No unsigned app should run without prompting the user, to make sure the user’s machine is secure. So Oracle should consider setting the default Java security level to high.

Custom Security Setting:

Another good move by oracle is that they have provided options for the user to select whether unsigned applications should prompt the user before running or not. So setting this option could make sure that no unsigned apps could run without user’s knowledge.

Oracle has managed to release a new update that addresses the security vulnerability, to make sure the users of Java 7 are kept secure. So the Java 7 users are recommended to update their version of Java.