7u45 Caller-Allowable-Codebase and Trusted-Library
By costlow on Oct 18, 2013
Versions below the security baseline used to apply the Trusted-Library Manifest attribute to call between sandboxed code and higher-privileged code. The Trusted-Library value was a Boolean true or false. Security changes for the current security baseline (7u45) introduced a different Caller-Allowable-Codebase that indicates precisely where these LiveConnect calls can originate. For example, LiveConnect calls should not necessarily originate from 3rd party components of a web page or other DOM-based browser manipulations (pdf).
Additional information about these can be located at “JAR File Manifest Attributes for Security.”
The workaround for end-user dialogs is described on the 7u45 release notes, which explains removing the Trusted-Library attribute for LiveConnect calls in favor of Caller-Allowable-Codebase. This provides necessary protections (without warnings) for all users at or above the security baseline. Client installations automatically detect updates to the secure baseline and prompt users to upgrade.
Warning dialogs above or below
Both of these attributes should work together to support the various versions of client installations. We are aware of the issue that modifying the Manifest to use the newer Caller-Allowable-Codebase causes warnings for users below the security baseline and that not doing it displays a warning for users above.
|Manifest Attribute||7u45||7u40 and below|
|Only Caller-Allowable-Codebase||No dialog||Displays prompt|
|Only Trusted-Library||Displays prompt||No dialog|
|Both||Displays prompt (*)||No dialog|
|This will be fixed in a future release so that both attributes can co-exist.|
The current work-around would be to favor using Caller-Allowable-Codebase over the old Trusted-Library call.
For users who need to stay below the security baseline
System Administrators that schedule software deployments across managed computers may consider applying a Deployment Rule Set as described in Option 1 of “What to do if your applet is blocked or warns of mixed code.”
System Administrators may also sign up for email notifications of Critical Patch Updates.