Java 7 update 10 lets users restrict Java apps in browsers
"The dialog warning about old and insecure versions is a big step in the right direction," Kristensen said. "Hopefully, it will make users think twice before running code on old Java versions."
Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, said that every step Oracle takes in safeguarding the end user is welcome, but agreed with Kristensen that most users will probably not use the new features because they don't understand them and because they're unwilling to update their software in general. Because of Java's large install base -- over 3 billion devices -- cybercriminals are unlikely to stop targeting it, he said via email.
In fact, the new dialogs warning about the use of insecure JRE versions might end up being used against users in social engineering scams in a similar way in which rogue Flash Player update notifications were used to distribute malware, Botezatu said.
"In corporate environments, this Java update may not immediately show its benefits, especially for companies who have developed in-house applications relying on Java and are unable to update for compatibility issues," Botezatu said. "Despite the fact that Java editions are usually backwards compatible with applications already built, the massive improvements in Java 7 may be insufficiently tested in production for corporations to take the risk of mass deployment in live environments."
"Companies with a need for old Java must find ways to virtualize or otherwise isolate old Java instances," Kristensen said. "It may be costly in terms of convenience and perhaps efficiency to isolate or virtualize old Java for use with non-modern enterprise applications, but the risk of surfing the web with an old version of Java can not justify convenience and small savings."
"If these Java settings are manageable via GPO (Group Policy) or similar centralized management tools, then it is likely to improve security for companies who only run the latest version, or have successfully isolated old versions," Kristensen said.
However, not everyone agrees that companies should migrate to Java 7. Adam Gowdiak, the founder of Security Explorations, a Polish security company with a strong focus on Java vulnerability research, believes that from the prospect of vulnerabilities being found in the code, migrating to Java 7 represents a higher risk than continuing to use Java 6.
"Our research proved that Java 7 was far more insecure that its predecessor version," Gowdiak said via email. "There were also many indications that certain new features introduced into Java 7 such as the new Reflection API didn't run through any security review."
"We are not surprised that corporations are resistant when it comes to the upgrade to Java 7," Gowdiak said. "The number of security bugs we found in Java 7 speaks for itself."
Because of this, Oracle should extend the public support period for Java 6, he said.
According to Oracle's support roadmap for Java, the company will stop issuing public updates for Java 6 after February 2013. Companies interested in receiving Java 6 security advisories, patches and bug fixes, after that date will have to sign up for a commercial extended support service.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Critical Role of Support in Your Enterprise Mobility Management Strategy Most business leaders underestimate the importance of tech support when they choose an EMM solution. Here's what to put on your checklist.
- Separating Work and Personal at the Platform Level: How BlackBerry Balance Works BlackBerry® Balance™ separates work from personal on the same mobile device, right at a platform level. Find out how it can work for...
- Protection for Every Enterprise: How BlackBerry Security Works Get an IT-level review of BlackBerry® Security, addressing data leakage protection, certified encryption, containerization and much more.
- Future Focus: What's Coming in Enterprise Mobility Management (EMM) Find out why Enterprise Mobility Management (EMM) solutions that are truly future-ready must be designed to enable Machine-to-Machine (M2M) capabilities and much more.
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast Unmasking the Differences between Consumer and Enterprise File Sync & Share The consumerization of IT combined with the rapid pace of the modern mobile workplace is forcing enterprise IT teams to evaluate file sync...
- Live Webcast Government Agency Webifies Outdated COBOL Applications Let this CTO tell you how his agency converted 1980s-era green screens into an e-filing portal for the 100,000 cases handled each year...
- Getting Ready for BlackBerry Enterprise Service 10.2 Find out how BlackBerry® Enterprise Service 10 helps organizations address the full spectrum of EMM challenges, while balancing the needs of both the...
- Containerization Options: How to Choose the Best DLP Solution for Your Organization This webcast outlines a framework for making the right choice when it comes to containerization approaches, along with the pros and cons of... All Applications White Papers | Webcasts