This week, Oracle released a massive update to Java. It patches 42 security vulnerabilities and now requires developers to get code-signing certificates for their Java apps.
According to Brian Krebs of Krebs on Security, “Oracle Corp. today released an update for its Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plugin. The Java update also introduces new features designed to alert users about the security risks of running certain Java content…. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities. According to Oracle, ’39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.'”
Sean Michael Kerner with eSecurity Planet observed, “Included among the April CPU patches are four vulnerabilities that were publicly demonstrated at the Pwn2Own hacking challenge in March. The Pw2Own vulnerabilities were privately reported to Oracle via contest organizer HP TippingPoint ZDI (Zero Day Initiative). HP paid security researchers $20,000 for each of the Java exploits as part of Pwn2Own.”
VentureBeat’s Meghan Kelly added, “New dialog boxes for the Java browser plugin are also being released. These are warning windows that pop up whenever Java is trying to run. The type of warning you receive is based on the quality of the digital certificate of that app. Low-risk warnings will appear if the certificate can be identified and has been signed by a certificate authority, or if the identified certificate has extra information. For these you will see either the Java logo, publisher’s logo, or a blue shield. You’ll be able to hide future warnings for publishers who provide these credentials. High-risk apps, however, will show you a yellow warning triangle for those apps that have an untrusted or expired certificate. A yellow shield is displayed for unsigned or invalid certificates.”
However, InformationWeek’s Matthew J. Schwartz noted, “This week’s release of Java 7 update 17 adds a system meant to warn users away from allowing Java apps that haven’t been signed with a digital certificate — from a certificate authority — to be allowed to execute. But the new Java 7 runtime environment warning system has been criticized on both usability and information security grounds.”