Java update patches 40 security issues - butlerwheirs

Oracle addressed 40 security department issues in Java and enabled online certificate revocation checking by default in its scheduled critical patch update for Java on Tuesday.

Thirty-four vulnerabilities patched in the newly released Java 7 Update 25 (Java 7u25) version affect only client deployments of Java. Some other four sham both client and server deployments, one affects the Java installer and united the Javadoc tool that's wont to create Hypertext mark-up language documentation files.

Many of the client-only vulnerabilities received the maximum seduce on the vulnerability inclemency scale utilized by Oracle. These flaws can be made use of by attackers to take in insure of computers past hosting malicious Java applets—Java Network applications—connected remote servers and tricking users to load them in their browsers.

The battalion of Web-supported attacks that targeted Java users this year by exploiting vulnerabilities in the Java browser nag-in prompted concern about the certificate worthiness of the Java platform among home users and in initiative environments, where Java is too frequently used happening servers.

In order to clearly differentiate between the security risks to Java client and server deployments, Oracle started shipping a separate Server JRE (Java Runtime Environment) package in April that doesn't include the web browser plug-in.

The Javadoc issue could affect users who visit HTML pages generated with the tool that are hosted on Web servers.

"Whatever HTML pages that were created by any 1.5 operating room later versions of the Javadoc tool are vulnerable to frame injection," aforementioned Eric Maurice, Oracle's director of software assurance, in a blog post Tuesday. "If exploited, this vulnerability dismiss result in granting a malicious assaulter the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to cattish web pages through their web browsers."

Coffee 7u25 includes a patched edition of the Javadoc tool that no thirster generates indefensible Web pages. In increase, Oracle released a tell tool called the Java API Documentation Updater Tool, that can be used to fix previously generated and vulnerable pages.

The new update as wel makes some other security-related changes, including enabling the security annulment checking feature away default.

As partially of its efforts to fight Java exploits, Oracle changed Coffee's default behavior earlier this year to prevent the instruction execution of unsigned applets without user interaction, therefore supporting developers to digitally sign their Java World Wide Web applications with valid certificates.

However, in order for this to work properly as a defense mechanics, Coffee needs to be able to check in sincere clip if the certificates used to sign applets have been revoked by their issuing credentials authorities (CAs). Otherwise, an attacker could sign a malicious applet with a taken certificate and there would be no way for Java to detect that, even if the CA later revoked the certificate for abuse.

Piece hold up for two methods of certificate revocation checking—by victimization certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP)—take up existed in Java for a oblong time, the feature was turned off by nonpayment. In May, Oracle promised to switch thatin a future tone ending.

The change was made in Java 7 Update 25 which like a sho uses both CRL and OCSP to check for certificate revocations past default.

"Under normal fortune annulment checking bequeath have a slim impact happening inauguration performance for applets and web start applications," Oracle aforementioned in its put out notes for Java 7u25. "Enterprises with managed networks and without access to the Internet (resulting in no entree to the revocation services provided by Credential Authorities) will see a significant delay in startup times."

To avoid such delays, certificate revocation checking can be disabled through with options accessible in the Coffee Ascendence Impanel. Withal, this "should sole be considered in managed environments as it decreases security protections," Oracle said.

The phone number of vulnerabilities found and fixed in Java has increased significantly this year compared to the onetime deuce years, Amol Sarwate, director of Qualys Vulnerability Labs, same Wednesday in an emailed statement. "This year we had 137 vulnerabilities as compared to just 28 and 38 during the same period for the survive two age."

"We highly encourage users to patch as soon as possible," he said.

Source: https://www.pcworld.com/article/452486/java-7-update-25-fixes-40-security-issues-turns-on-certificate-revocation-checking.html

Posted by: butlerwheirs.blogspot.com

Share this post