The latest round of Java patches, which were released in mid-June, call attention to some issues that all Java programmers should be concerned about. Oracle enabled online certificate revocation checking by default in the move, and it dealt with 40 security issues in Java. Of course, it’s hardly unusual for Oracle to issue a large number of patches at once, but it’s critical that programmers understand what the issues were, whether they maintain sites about British history or alcoholrecovery centers.
Who and What Was Impacted
According to Oracle, 34 of the patches in the Java 7 Update 25 (Java 7u25) affected only client developments of Java. Client and server deployments were affected by four other vulnerabilities, while one dealt with the Java installer and another with the Javadoc tool employed to make HTML documentation files.
Here’s an alarming development: The client-only vulnerabilities, which accounted for the aforementioned 34 patches, were extreme. Oracle graded them highly on its vulnerability severity scale. That’s because they might be used to trick users into loading malicious Java applets onto remote servers, a big problem indeed.
The Worst Vulnerabilities
Java experts immediately began to wonder: Was that tied to the fact that a large number of Java users were targeted by exploiting the vulnerabilities in the Java browser plug-in? Did that mean that the safety of home and enterprise users had been compromised, because Java is often employed on servers?
Oracle didn’t issue any true answers to this question. But Oracle did begin sending out a Server JRE (Java Runtime Environment) package earlier this Spring sans the browser plug-in. Meanwhile, users who visit HTML pages that were made with Javadoc and hosted on web servers could be impacted by the patches.
Oracle announced the updates in a blog post by its Director of Software Assurance, Eric Maurice. The post noted that the Javadoc tool vulnerability can grant a malicious attacker the ability to inject frames into a vulnerable web page. That would allow the attacker to push users toward malicious web pages via their browsers.
More to Keep an Eye On
Oracle also released the Java API Documentation Updater Tool, which will be employed to repairformerly generated and vulnerable pages. The Java default that allowed the execution of unsigned applets without user interaction was also changed. Now developers are being urged to sign their Java web applications digitally, using valid certificates.
Of course, Oracle also had to set up a rather complicated defense mechanism to enforce the application of this rule, which involves checking the certificates used to sign applets in real time to prevent an attacker from signing an applet with a stolen certificate.