Category Archives: Java

Java, Security, Windows XP

Java no longer supported on Windows XP

Leave a comment

As of April 8, 2014, Oracle is no longer supporting the use of Java on Windows XP. Java 7 can still be installed on Windows XP, and Java 7 updates installed on Windows XP will probably work as expected, but Oracle says you’re on your own if bad things happen. Java 8 will refuse to install on Windows XP.

Recommendation: if you still have computers running Windows XP, stop using Java on those computers.

Update 2014Jul18: Oracle recently posted a clarification, saying that Java issues affecting only Windows XP will not be addressed with updates. Java issues affecting Windows XP as well as other versions of Windows will get updates, and those updates will work as expected on Windows XP.

Edit 2014Jul18: fixed two typos in the first paragraph.

Firefox, Flash, Java, Security, Shockwave, Silverlight

Stop Firefox from showing embedded media automatically

Leave a comment

My browser of choice these days is Firefox, despite its recent problems with bloat, performance and the user interface.

I recently made a change to the way Firefox handles embedded content like Java, Flash, Shockwave and Silverlight. By default, Firefox displays embedded media automatically; when you visit a web page that contains embedded media, it plays immediately after loading.

To change this behaviour, do the following:

  1. Go to the Firefox Add-ons page. How you do this depends on the version of Firefox, but one method that always works is to enter ‘about:addons’ in the address bar.
  2. In the menu on the left, click ‘Plugins’.
  3. To the right of each listed plugin, there’s a button. Clicking that button drops down a list with these options: ‘Ask to Activate’, ‘Always Activate’ and ‘Never Activate’.
  4. Change the activation setting for each plugin. ‘Never Activate’ disables a plugin completely. ‘Always Activate’ means that the associated media will run without any user intervention (the default behaviour). ‘Ask to Activate’ will prompt the user before playing the associated media. I set the following plugins to ‘Ask to Activate’: all Java plugins, all Flash plugins, all Shockwave plugins, and all Silverlight plugins.

Once you’ve made these changes, visiting a web page that includes embedded media shows grey blocks where the media would normally appear. A link appears in the middle of each block: ‘Activate Adobe Flash’, ‘Activate Java’, etc. Clicking the ‘Activate’ link pops up a small dialog that allows you to activate the media this time only, or permanently for that particular web site.

This has several benefits:

  • Malicious code in Java, Flash and other media files no longer runs automatically when I visit sites that use them. This makes web surfing much safer.
  • Pages that contain embedded media load faster. If I decide that I want to actually watch some embedded media on a site, I only have to click the ‘Activate’ link.
  • I can now see exactly what kind of media is embedded on a web page, which is especially useful for determining the relative popularity of different kinds of media.
Java, Patches and updates, Security

Oracle Critical Patch Update fixes 37 issues in Java

Leave a comment

Oracle just announced a huge batch of Critical Patch Updates, including 37 updates for Java.

The updates affect all supported versions of Java, including Java 7 (7u55) and the recently-released Java 8 (8u5).

Oracle has clarified their position on the adoption of Java 8 in a special FAQ for version 8. According to that page, “The new release of Java is first made available to developers to ensure no major problems are found before we make it available on the java.com website for end users to download.”

So until Oracle decides that Java 8 is ready for general use, the main Java download page will still offer Java 7 as the ‘most recent’ version. Java 8 can be downloaded from the Oracle Java SE downloads page.

We recommend installing the latest version of Java 7 (7u55) unless you’re interested in testing your Java applications with Java 8, in which case you should install Java 8 Update 5.

Java, Patches and updates

Java 8 released

1 Comment

Oracle recently announced the availability of Java version 8.

The new Java includes a range of new features, most of which are only of interest to developers. There are some security improvements, but again, these will not be visible to the user and are mostly of use for developers of new Java software.

You can see the list of changes on the What’s New in JDK 8 page (warning: technical). The release notes may also be of interest.

Oddly, the main Java download page still points to older versions (Version 7 Update 51). You can get Java 8 from the Java SE downloads page.

Update 2014Apr15: Oracle clarified their position on the availability of Java 8 in a special FAQ. Basically, Java 8 is for developers, and Java 7 is for regular users. At some point, Oracle will decide Java 8 is ready for general use.

Java, Patches and updates

Oracle announces upcoming patches for Java

Leave a comment

Oracle will issue another massive batch of updates for its products in its next Critical Patch Update, on January 14. From the pre-release announcement:

This Critical Patch Update contains 36 new security fixes for Oracle Java SE. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Java, Patches and updates, Security

Java 7 Update 45 released

Leave a comment

As part of a massive quarterly ‘CPU’ (Critical Patch Update), Oracle recently announced Java 7, Update 45 (7u45).

This new version of Java includes several security enhancements, mostly related to Java component deployment. A new button on the Security tab of the Java Control Panel, labeled ‘Restore Security Prompts’, allows the user to completely clear the list of allowed Java applications.

As for the contentious ‘Issue 69‘ Java security vulnerability reported by security researcher Adam Gowdiak: according to Mr. Gowdiak’s latest research, this issue was resolved in Java 7, Update 40 (7u40).

Java, Patches and updates

Java 7 update 40 released with no announcement

Leave a comment

A new version of Java was released yesterday with zero fanfare from Oracle. Presumably that’s because there are no security vulnerability fixes in this release, since normally there would be an announcement on Oracle’s Critical Patch Updates, Security Alerts and Third Party Bulletin blog.

The update is listed on the main release notes page for Java 7. The release notes page for 7u40 shows that there have been a lot of changes in this release, including some related to security, but no fixes for specific security vulnerabilities. The complete list of bugs fixed in this release is enormous.

It will be interesting to see what Adam Gowdiak says about this release, since some of the vulnerabilities he has reported still existed in the previous Java release, 7u25. Update 2013Sep24: According to the vendor log on the Security Explorations site, “Oracle provides a monthly status report for the reported issues. The company informs that Issue 69 is fixed in main codeline and is scheduled for a future CPU.” In other words, Issue 69 is STILL not fixed.

Java, Security

Java 6 being targeted more frequently

Leave a comment

Anyone still using Java 6 should upgrade to Java 7 as soon as possible. Oracle stopped making security fixes for Java 6 available to the public in February 2013, and exploits targeting unpatched vulnerabilities in Java 6 are finding their way into hacking toolkits.

Oracle has probably developed patches for recent vulnerabilities in Java 6, but these are only officially available to corporate clients with expensive support contracts. While I understand Oracle’s motivation for this, I disagree with their decision. When Oracle develops a security patch, it should be made available to everyone.

Java, Patches and updates, Security

Reminder: latest Java still vulnerable

2 Comments

The most up to date version of Java (7 Update 25) is vulnerable to an exploit reported to Oracle on 2013Jul18 by Adam Gowdiak of Security Explorations.

This is just the latest version-specific vulnerability in a long series of related vulnerabilities that are all based on a fundamental weakness of Java that has existed for over ten years and has yet to be properly addressed.

Oracle has assured Mr. Gowdiak that this vulnerability will be eliminated in Java 7 Update 40, to be released in September 2013. The good news is that no active exploits for this vulnerability have yet been discovered.

As always, we recommend that you use Java with caution. Disabling Java in your web browser can decrease your exposure to Java-based attacks.

Update 2013Sep11: Java 7 update 40 was released yesterday, but there do not appear to be any specific fixes for this or any other security vulnerability. Some security-related changes were made in 7u40, and those changes may mitigate the vulnerability reported by Mr. Gowdiak. We will await an update from Mr. Gowdiak for confirmation either way.

Update 2013Oct16: Mr. Gowdiak has confirmed that this issue was resolved in Java 7 Update 40.