The latest round of Java patches, which were
released in mid-June, call attention to some issues that all Java programmers
should be concerned about. Oracle enabled online certificate revocation
checking by default in the move, and it dealt with 40 security issues in Java.
Of course, it’s hardly unusual for Oracle to issue a large number of patches at
once, but it’s critical that programmers understand what the issues were,
whether they maintain sites about British history or alcoholrecovery centers.
Who
and What Was Impacted
According to Oracle, 34 of the patches in
the Java 7 Update 25 (Java 7u25) affected only client developments of Java. Client
and server deployments were affected by four other vulnerabilities, while one
dealt with the Java installer and another with the Javadoc tool employed to
make HTML documentation files.
Here’s an alarming development: The
client-only vulnerabilities, which accounted for the aforementioned 34 patches,
were extreme. Oracle graded them highly on its vulnerability severity scale.
That’s because they might be used to trick users into loading malicious Java
applets onto remote servers, a big problem indeed.
The
Worst Vulnerabilities
Java experts immediately began to wonder:
Was that tied to the fact that a large number of Java users were targeted by
exploiting the vulnerabilities in the Java browser plug-in? Did that mean that
the safety of home and enterprise users had been compromised, because Java is
often employed on servers?
Oracle didn’t issue any true answers to this
question. But Oracle did begin sending out a Server JRE (Java Runtime
Environment) package earlier this Spring sans the browser plug-in. Meanwhile,
users who visit HTML pages that were made with Javadoc and hosted on web
servers could be impacted by the patches.
Oracle announced the updates in a blog post
by its Director of Software Assurance, Eric Maurice. The post noted that the
Javadoc tool vulnerability can grant a malicious attacker the ability to inject
frames into a vulnerable web page. That would allow the attacker to push users
toward malicious web pages via their browsers.
More
to Keep an Eye On
Oracle also released the Java API
Documentation Updater Tool, which will be employed to repairformerly generated and
vulnerable pages. The Java default that allowed the execution of unsigned
applets without user interaction was also changed. Now developers are being
urged to sign their Java web applications digitally, using valid certificates.
Of course, Oracle also had to set up a
rather complicated defense mechanism to enforce the application of this rule,
which involves checking the certificates used to sign applets in real time to
prevent an attacker from signing an applet with a stolen certificate.