Oracle has issued an update for Java that aims to improve security in the often attacked plugin. The Oracle Java Development Kit 7 Update 10 (JDK 7u10) release provides new updating and control capabilities that go beyond what Java users have enjoyed in the past.
Among the new security features in JDK 7u10 is the ability to restrict any Java application from running in a browser. There is also now an alerting mechanism to let users know when their Java installation is out of date. Going a step beyond that, Oracle is now including a “best before” date for every Java installation.
“It is assumed that a new version will be released before this date,” wrote Henrik Stahl, senior director of Product Management in the Java Platform Group at Oracle, in a blog post. “If the client has not been able to check for an update prior to this date, the Java runtime will assume that it is insecure and start warning the user prior to executing any applets.”
The need for improvements to Java security is not a new topic in the IT security world. Multiple studies have identified Java as being the least secure plugin.
“Java is the number one way users are becoming compromised,” Sophos security researcher Chet Wisniewki told eSecurityPlanet. “Whether it is the slow pace with which Oracle issues fixes or users not applying those updates when available is hard to know, but it is definitely the highest risk software you can install today.”
According to security vendor Qualys, Java is still a real security concern in 2012 due in no small part to the fact that many users are running unpatched versions.
“Java is the leading source of vulnerabilities in BrowserCheck,” Qualys CTO Wolfgang Kandek told eSecurityPlanet. “Roughly 35 percent of the scans that find vulnerable browsers include a flawed version of Java.”
Limitations of ‘Best Before’ Date Approach
The Qualys BrowserCheck checks a user’s browser for plugins and indentifies out-of-date and vulnerable items. Kandek believes the additional updating check that the Java 7u10 release provides is an interesting idea. However, he doubts many IT administrators will use the additional functionality.
“While it does appear to make sense in the current Java landscape where there are many older Java versions in use, it is getting added to the current Java and so can only be used by IT administrators that are on the latest level already,” Kandek said. “The major problem is to move Java users off the old v6 edition, which is still the predominant version in our BrowserCheck statistics.”
“The best before check in Java 7u10 should improve patch uptake going forward, but given how slow this is today it will take several months before most Java users are using this version,” Moore told eSecurityPlanet.
While having an up-to-date version of Java is always a good idea, it might not be enough to actually provide security.
“Running an up-to-date Java is only part of the problem,” Sophos’ Wisniewki said. “Oracle only issues updates three times a year, sometimes for hundreds of security flaws. Even an up-to-date Java isn’t necessarily a safe Java.”
Java Control Panel
The Java 7u10 release also provides a new control panel that enables users to set security settings. The general idea is to provide even more control and limit the potential attack surface for Java vulnerabilities. It’s one of Kandek’s favorite features in the Java 7u10 release.
“It allows users that have Java installed to run applications locally to disable Java in the browser, which is the most common attack vector,” Kandek explained. “If one opts to allow Java in the browser then one can control how to restrict unsigned applications, i.e. run them directly or after prompt or not at all.”
There are multiple options for security setting in the Java Control Panel and the default setting is less than ideal, explained Rapid7’s Moore. He noted that the security panel in 7u10 still defaults to “medium,” which allows untrusted applets to run without user confirmation.
“Enterprises should strongly consider setting this to ‘high’ instead,” Moore suggests. “This requires user confirmation before running any untrusted applet, adding one more layer of defense between a new sandbox escape exploit and an attacker gaining access to the internal network.”
Moore added that the “very high” setting prevents unsigned applets from running at all unless the latest version is installed. Whether or not that setting is relevant, however, depends on how long it takes Oracle to patch the next zero-day exploit.
Do You Need Java?
Oracle’s Java 7u10 doesn’t impress Andrew Storms, director of security operations for nCircle, all that much either. Storms told eSecurityPlanet that while the Java 7u10 includes a number of new features designed to bolster security, Oracle still has a long way to go to improve Java security.
“When I make a list of software people should uninstall, Java is always near the top,” Storms said. “Oracle has done a lousy job addressing Java security throughout 2012 and there’s no reason to expect they will change their approach in 2013.”
In Storm’s view, Oracle is still slow at delivering patches and doesn’t communicate effectively about zero-day threats either.
“If you absolutely need Java, you should install this update quickly because the new features help reduce the risks associated with running Java,” Storms said. “But it doesn’t change my position on unnecessary installations. If you don’t need it, get rid of it — you won’t be sorry.”