Java 7 update 10 lets users restrict Java apps in browsers
Java users can now block Web-based Java content completely or enforce strict restrictions for it
IDG News Service - A recent Java 7 update allows users to completely prevent Java applications from running inside browsers or to restrict how Web-based Java content is handled by the Java Runtime Environment (JRE) client. These features will benefit security-conscious users, but companies still have to find methods of isolating older Java versions, security experts say.
Java 7 Update 10 (7u10), released on Dec. 11, does not address any security vulnerabilities, but provides several security enhancements. According to its release notes, the new version provides users with "the ability to disable any Java application from running in the browser." This can be done from the "Security" tab on the Java control panel by clearing the "enable Java content in the browser" checkbox.
Security experts have long advised users to remove the Java plug-in from their Web browsers in order to protect themselves from the increasingly prevalent Web-based attacks that exploit Java vulnerabilities to infect computers with malware. However, in order to follow this advice users had to remove the plug-in from all of their browsers one by one and were often forced to redo the process after installing new Java updates.
Java 7u10 seems to make things easier by providing users with a central and persistent option for controlling Web-based Java content regardless of how many browsers they use. In addition, the new Java version provides users who can't afford to completely block such content with a method of controlling how potentially dangerous applets are handled.
Starting with Java 7u10 users have to ability to set security levels from low to very high for Web-based Java content, with medium being the default option. The medium security level will allow unsigned Java apps to run, but only if the Java version is considered secure. "You will be prompted if an unsigned app requests to run on an old version of Java," Oracle said in the tech notes for the new control panel security options.
Setting the security level to very high will prompt the user for permission every time a Java app, signed or unsigned, attempts to run in the browser. If the Java version is deemed insecure, unsigned apps won't run at all, regardless of what the user decides.
"The Security Level setting affects unsigned plug-in applets, Java Web Start applications, embedded JavaFX applications, and access to the native deployment toolkit plugins," Oracle said.
In addition, Java 7u10 introduces new dialogs that warn users when the installed JRE version is insecure and needs to be updated.
These changes don't make Java more secure in itself, but will likely make it easier for users to make their PCs more secure because they allow users to manage certain restrictions, Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia, said Tuesday via email. However, in order for the majority of users to be protected, Oracle needs to set the new options in a restrictive way by default, because most users won't understand or know about the new restrictions, he said.
- 5 Customers Deliver Virtual Desktops and Apps to Empower a Modern Workforce Learn how Citrix solutions helped 5 companies realize the full value of desktop virtualization through a project-by-project approach based on key business priorities.
- Mitigate Risk and Accelerate Time to Value Download this white paper to learn how your IT organization can accelerate business, introduce new services, and reach new markets, all while staying...
- Allay Risks in Application Rationalization and Modernization IT has to do it all: react quickly to market needs, introduce new services, capitalize on mobile, and comply with regulatory requirements, all...
- Delivering Application Data On-Demand Packaged app dev teams frequently operate with limited testing environments due to various constraints. By virtualizing the entire application stack, Delphix-powered teams can...
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt.
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Applications White Papers | Webcasts