Updated Security Baseline (7u45) impacts Java 7u40 and before with High Security settings
By Erik Costlow-Oracle on Oct 16, 2013
This issue only affects Applets and Web Start applications. It does not affect other types of Java applications.
The Short Answer
Users upgrading to Java 7 update 45 will automatically fix this and is strongly recommended.
The More Detailed Answer
There are two items involved as described on the deployment flowchart:
- The Security Baseline – a dynamically updated attribute that checks to see which Java version contains the most recent security patches.
- The Security Slider – the user-controlled setting of when to prompt/run/block applets.
The Security Baseline
Java clients periodically check in to understand what version contains the most recent security patches. Versions are released in-between that contain bug fixes. For example:
- 7u25 (July 2013) was the previous secure baseline.
- 7u40 contained bug fixes. Because this did not contain security patches, users were not required to upgrade and were welcome to remain on 7u25.
- When 7u45 was released (October, 2013), this critical patch update contained security patches and raised the secure baseline. Users are required to upgrade from earlier versions.
The Security Slider
The security slider is located within the Java control panel and determines which Applets & Web Start applications will prompt, which will run, and which will be blocked.
One of the questions used to determine prompt/run/block is, “At or Above the Security Baseline.”
The resulting flow of users who click "update later" is:
- Is the browser plug-in registered and allowed to run? Yes.
- Does a rule exist for this RIA? No rules apply.
- Does the RIA have a valid signature? Yes and not revoked.
- Which security prompt is needed?
- JRE is below the baseline. This is because 7u45 is the baseline and the user, clicked "upgrade later."
- Under the default High setting, Unsigned code is set to "Don’t Run" so users see:
- End Users can control their own security slider within the control panel.
- System Administrators can customize the security slider during automated installations.
As a reminder, in the future, Java 7u51 (January 2014) will block unsigned and self-signed Applets & Web Start applications by default.