- JavaLand Conference Offers Thrills
- Free Open Source Tools for Maven, HTML5, IoT, and Java EE
- New Java Champions: Enrique Zamudio, Otávio Santana, and Freddy Guime
- New Java Champion: Jacek Laskowski
- Save the Date: 2015 JavaOne Brazil
- Java Magazine: Platform for Innovation
- NightHacking at Jfokus 2015
- A Young Woman Innovator Programs with Java
- Antoine Sabot-Durand Discusses CDI 2.0
Thursday Aug 28, 2014
Tuesday Aug 05, 2014
By Tori Wieldt-Oracle on Aug 05, 2014
Is Java inherently insecure? As a Java developer, what things should you think about in terms of security? How is ECC is better RSA? Is RSA good enough security? Hear what James McGivern, a software engineer in Cisco's Cloud Web Security group, has to say about securing your Java applications.
ECC vs RSA: Battle of the Crypto-Ninjas James' slides from Devoxx UK 2014
Using the New JDK 8 Security Features: from JavaOne 2013
Friday May 31, 2013
By Yolande Poirier-Oracle on May 31, 2013
In a detailed blog, Nandini Ramani, Vice President of Software Development, summarizes Oracle steps to address security issues on the Java platform. Amongst the most recent changes, she explains that "it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed". She lists the impacts of those changes and mentioned for example that "Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations."
She also explains that "Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers. As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments). With Java 7 update 21, Oracle has introduced a new type of Java distribution: “Server JRE.”"
She added that "starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products. In other words, Java will now issue four annual security releases."
Check out her original blog
Tuesday Apr 30, 2013
By Yolande Poirier-Oracle on Apr 30, 2013
- Alphalogic, an easy to use tool with high level integration, control and monitoring for engineering systems and security systems
- Platypus Application Designer, a tool to develop the structure of database applications, reusable SQL queries and client/server applications
- Sypherlink Harvester, a tool collecting metadata, database statistics, sample data and more in relational and non-relational data sources
- Total Airport Management (TAM)
- Summit Management Systems, an data acquisition and floor plant monitoring tools for assembly processes
- Integrated Service Technology, a testing and analysis solution for integrated circuits
- DigiMed, a radiology software for hospitals in Mexico
- Ksenia, a security system configuration software
- Vimar, a home automation management software
- Phyloviz, a visualization software tool for Phylogenetics
- Delcam Crispin, a footwear CAD/CAM software
- Autopsy, a digital forensics platform
- Sristy Technologies, a software solutions to analyze seismic data, drilling, completion and reservoirs for the energy sector
- HEIDE, a multiprocessor microcontroller platform
- SIEUFERD, a universal user interface for relational databases
- Polaris Slipstream, an extensive data modeling application designed for NASA Mission visualization
- MammoControl DIANNA, a tools analyzing and transmitting managraphy images for the German Breast Cancer Screening Program
- IGS-Bio, a motion capture software application
- Klinika Medical Assistant, a EMR software used in the Philipines
- A series of software from Satlantic, an ocean technology company
- Mongkie, an integrated network visualization platform for biological data
- 4Vending, a vending machine management solution
- Piraso, an open source debugger and analyzer tool
- SafetyMach, a European safety requirement software
Tuesday Apr 16, 2013
By Tori Wieldt-Oracle on Apr 16, 2013
Oracle has released three updates to Java. It is important to note that they contain several security changes. The releases are:
Java SE 7 Update 21
This release contains new features and fixes for security vulnerabilities, including a new Server JRE, JRE Installer linked with Uninstall Applet on Windows platform, changes to Security Dialogs and more. Oracle strongly recommends that all Java SE 7 users upgrade to this release.
Release Notes Download
In addition to security fixes, Oracle has included new security features in this release. These are significant:
- Starting with Java SE 7u21, a Server Java Runtime Environment (Server JRE) package is available for deploying Java applications on servers. The Server JRE includes the same high performance JVM that is available in the JDK and JRE packages, tools for JVM monitoring and tools commonly required for server applications. It does not include browser integration (the Java plug-in), auto-update, nor installer. Learn more in the Release Notes.
- Changes to Java Control Panel's Security Settings - In this release, low and custom settings are removed from the Java Control Panel(JCP)'s Security Slider.
Depending on the security level set in the Java Control Panel and the user's version of the JRE, self-signed or unsigned applications might not be allowed to run. The default setting of High permits all but local applets to run on a secure JRE. If the user is running an insecure JRE, only applications that are signed with a certificate issued by a recognized certificate authority are allowed to run.
For more information, see the Security section of the Java Control Panel documentation.
- Changes to Security Dialogs - Specifically, all Java code executed within the client’s browser will prompt the user. The type of dialog messages the user sees depends upon the risk factors. Low-risk scenarios present a very minimal dialog and include a checkbox to not display similar dialogs by the same vendor in the future. Higher risk scenarios, such as running unsigned jars, will require more user interaction given the increased risk. See the Java Source Blog IMP: Your Java Applets and Web Start Applications Should Be Signed.
Resources that will be helpful for both developers and end-users are:
- What should I do when I see a security prompt from Java? (Java.com FAQ)
- Java Content in the Browser — Application Publisher Security Messages (Java.com FAQ)
- Java Applet & Web Start - Code Signing (OTN FAQ)
- Changes to RMI - From this release, the RMI property java.rmi.server.useCodebaseOnly is set to true by default. In previous releases the default value was false.
This change of default value may cause RMI-based applications to break unexpectedly. The typical symptom is a stack trace that contains a java.rmi.UnmarshalException containing a nested java.lang.ClassNotFoundException.
For more information, see RMI Enhancements in Java SE 7 documentation.
- JDK for Linux on ARM - this release includes support for JDK for Linux on ARM. The product offers headful support for ARMv6 and ARMv7.
Thursday Mar 28, 2013
By Tori Wieldt-Oracle on Mar 28, 2013
Starting with Java SE 7 Update 21 in April 2013, all Java Applets and Web Start Applications should be signed with a trusted certificate.
The April 16th, 2013 Critical Patch Update for Java SE (7u21) will change the launch behavior related to running Java Applets and Web Start Applications. Users will be presented with a dialog(s) that will provide additional information to the user who can choose to continue or terminate execution. For the best possible user experience, your Applets and Web Start Applications should be signed.
What does this mean? Java SE 7u21 will introduce changes to Java browser plug-in behavior, encouraging application authors and vendors to sign code with a certificate from a trusted Certificate Authority. You, as a developer, are strongly encouraged to sign code now in preparation for this release and future releases.
For more information, read Java Applet & Web Start - Code Signing on OTN.
Tuesday Feb 19, 2013
By Tori Wieldt-Oracle on Feb 19, 2013
Oracle has released Updates to February 2013 Critical Patch Update for Java SE. This update contains fixes for additional security vulnerabilities. Oracle recommends that customers apply Critical Patch Updates (CPUs) as soon as possible. You can read details on the Oracle Software Security Assurance Blog.
Released today is:
Since JRE 6 has reached its End of Public Updates, Oracle is taking steps to protect consumer desktops. Oracle will not leave a version of Java installed for which Oracle no longer provide security updates.
In order to do so, when updating from JRE 6, the update mechanism will not only install the latest version of JRE 7 but will also remove the highest version of JRE 6 on the system. This change will happen when the system is updated via the auto-update mechanism or by checking for updates directly from the Java Control Panel. For more information, read the Java SE 7 Update 15 Release Notes.
As always, consumers can get the Java Runtime Environment (JRE) from Java.com. Developers can get the Java Development Kit (JDK) and the Java Runtime Environment (JRE) from the Oracle Technology Network.
Friday Feb 01, 2013
By Tori Wieldt-Oracle on Feb 01, 2013
Oracle just released the February 2013 Critical Patch Update for Java SE. Oracle accelerated the release of this update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers has been addressed with this Critical Patch Update. In addition to a number of security in-depth fixes, this update contains fixes for 50 security vulnerabilities. Oracle strongly recommends that customers apply CPU fixes as soon as possible. You can read details on the Oracle Software Security Assurance Blog.
Released today is:
- Java SE 7 Update 13
- Java SE 6 Update 39
- JavaFX 2.2.5
Sunday Jan 13, 2013
By Tori Wieldt-Oracle on Jan 13, 2013
A user may control, via the Java Control Panel, the level of security that will be used when running unsigned (also called "untrusted" or "sandboxed") Java apps in a browser. The user may select from five levels of security. See the "Setting the Security Level of the Java Client" documentation to see what the settings do and how users can tighten security. You can also read Henrik Stahl's blog Oracle JDK 7u10 Released with New Security Features.
Because this is an out-of schedule release remediating security vulnerabilities, going forward Oracle will increment the release number for all subsequent Java 7 releases by two numbers in order to continue having CPUs as odd numbers and limited updates as even numbers. For example, the next Java CPU release, scheduled for Feb 19, 2013, the JDK 7 release version will be renamed to Java SE 7u13.
Monday Dec 17, 2012
By Tori Wieldt-Oracle on Dec 17, 2012
On December 11, 2012 Oracle released Java SE 7 Update 10 (Java SE 7u10). This release includes enhanced security features and support for new platforms.
Enhanced Security Features
The JDK 7u10 release includes the following security enhancements:
- The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
- The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
- New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.
Java SE 7 Update 10 (Java SE 7u10) supports Windows 8 Desktop Mode1 with IE 10, and Mac OS 10.8. For more information, refer to the Oracle Certified System Configurations page.
Download and Release Notes