Java developers can now assure better security with the Java 7 Update release that has fixes for 40 security issues. In this Java (7u25) release thirty-four vulnerabilities has been patched that affects only client deployments of Java. In addition, other four patches affect both the client and server deployments, which affect the Java installer and one the Javadoc tool that’s used to create HTML documentation files.
There were many client-only vulnerabilities scaled by Oracle, these flaws can be easily exploited by the attackers. They take the control of your computer by hosting malicious Java applets. This was affecting the web browsers with the Java plugin, due to which Oracle had to ship separate Server JRE (Java Runtime Environment) package that doesn’t include the browser plug-in.
In this release, the Java 7u25 has a patch of Javadoc tool, which no more generates vulnerable Web pages. Moreover, Oracle has released a separate Java API Documentation Updater Tool that can be used to fix earlier generated and vulnerable pages. There are also some other security-related changes made in this Java 7 update release that includes enabling the certificate revocation checking feature by default.
In order to fight the Java exploits, Oracle has also changed Java’s default behaviour. It encourages developers to digitally sign their Java Web applications with valid certificates.
For this mechanism to work properly, Java needs to be able to check certificates used to sign applets in real time. If not worked properly, an attacker can sign a malicious applet with a stolen certificate and there would be no way for Java to detect that, even if the CA later revoked the certificate for abuse.
There is also a change made in Java 7 Update 25 which uses both CRL and OCSP to check for certificate revocations by default.
“Under normal circumstances revocation checking will have a slight impact on startup performance for applets and web start applications,” Oracle said in its release notes for Java 7u25. “Enterprises with managed networks and without access to the Internet (resulting in no access to the revocation services provided by Certificate Authorities) will see a significant delay in startup times.”
To avoid such delays, certificate revocation checking can be disabled through options available in the Java Control Panel. However, this “should only be considered in managed environments as it decreases security protections,” Oracle said.