Wednesday Oct 16, 2013

Updated Security Baseline (7u45) impacts Java 7u40 and before with High Security settings

The Java Security Baseline has been increased from 7u25 to 7u45.  For versions of Java below 7u45, this means unsigned Java applets or Java applets that depend on Javascript LiveConnect calls will be blocked when using the High Security setting in the Java Control Panel.

This issue only affects Applets and Web Start applications. It does not affect other types of Java applications.

The Short Answer

Users upgrading to Java 7 update 45 will automatically fix this and is strongly recommended.

The More Detailed Answer

There are two items involved as described on the deployment flowchart:

  1. The Security Baseline – a dynamically updated attribute that checks to see which Java version contains the most recent security patches.
  2. The Security Slider – the user-controlled setting of when to prompt/run/block applets.

The Security Baseline

Java clients periodically check in to understand what version contains the most recent security patches. Versions are released in-between that contain bug fixes. For example:

  • 7u25 (July 2013) was the previous secure baseline.
  • 7u40 contained bug fixes. Because this did not contain security patches, users were not required to upgrade and were welcome to remain on 7u25.
  • When 7u45 was released (October, 2013), this critical patch update contained security patches and raised the secure baseline. Users are required to upgrade from earlier versions.
For users that are not regularly connected to the internet, there is a built in Expiration Date. Because of the pre-established quarterly critical patch updates, we are able to determine an approximate date of the next version. A critical patch released in July will have its successor released, at latest, in July + 3 months: October.

The Security Slider

The security slider is located within the Java control panel and determines which Applets & Web Start applications will prompt, which will run, and which will be blocked.

One of the questions used to determine prompt/run/block is, “At or Above the Security Baseline.”

The Combination

JavaScript calls made from LiveConnect do not reside within signed JAR files, so they are considered to be unsigned code. This is correct within networked systems even if the domain uses HTTPS because signed JAR files represent signed "data at rest" whereas TLS (often called SSL) literally stands for "Transport Level Security" and secures the communication channel, not the contents/code within the channel.

The resulting flow of users who click "update later" is:

  • Is the browser plug-in registered and allowed to run? Yes.
  • Does a rule exist for this RIA? No rules apply.
  • Does the RIA have a valid signature? Yes and not revoked.
  • Which security prompt is needed?
    • JRE is below the baseline. This is because 7u45 is the baseline and the user, clicked "upgrade later."
  • Under the default High setting, Unsigned code is set to "Don’t Run" so users see:

Additional Notes

As a reminder, in the future, Java 7u51 (January 2014) will block unsigned and self-signed Applets & Web Start applications by default.

About

Science Duke
This blog contains topics related to Java SE, Java Security and Usability. The target audience is developers, sysadmins and architects that build, deploy and manage Java applications. Contributions come from the Java SE Product Management team.

Search

Categories
Archives
« October 2013 »
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
11
12
13
14
17
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today