Oracle made Java 7 Update 21 available to patch 42 security issues regarded as important.
Oracle said 39 of these issues potentially allow attackers to take control of computers without authentication. In view of the numerous recent attacks on the Java platform, Oracle recommended users install the new update as soon as possible.
Nineteen of the security holes that have been fixed with the new update ended up rated at the highest Common Vulnerability Scoring System (CVSS) level of 10; other flaws are critical, but end up rated lower because they are more complex to access and exploit.
The list of flaws includes 7 critical flaws in the 2D graphics system, with other flaws spread throughout the various subcomponents of Java. Oracle also released an update for Java 6, Java 6 Update 45, which addresses a subset of applicable vulnerabilities in the older Java release. Java 6 was not supposed to get additional security updates because it was nearing its end of life, but Oracle is keeping going with updates while trying to clear the current onslaught of security vulnerabilities.
Oracle’s applet security story has also been tightened up with even more restrictions on what applets can run. With Java 7 Update 17, Oracle added a simple slider control for setting the security level of unsigned applets in the Java Control Panel; it allowed users to choose a low, medium, high, or very high risk setting. The company’s latest update refines this approach. In early 2013, Oracle said it would modify the way the browser plugin handles unsigned and self-signed code.
Now, the “low-risk” level is no longer available, which means that unsigned and self-signed applets can no longer be executed without triggering a prior user warning. The browser plugin will only start the Java Virtual Machine and execute an application once users have confirmed they really do want to execute Java content. Developers who deliver Java applets to customers will need to look at getting the applets signed with a valid CA issued certificate.
The warnings for Java applets now come in two types: An applet that has a valid certificate generates a warning dialog with the Java logo in it and details of the applet’s certificate, but an applet signed with an invalid certificate, is unsigned or self-signed, will generate a warning with a yellow shield and warning triangle which is designed to recommend the applet should not run. There is a problem though with the certificate checking. Attackers were using revoked certificates as part of their attacks and the Java runtime was doing nothing to check the validity of certificates. On the latest update of Java, this has not changed either. Online validation and revocation checks are still off by default.
To remain safe, security professionals recommend users to disable Java in the browser; this can occur on Windows through the Java control panel by selecting “Disable Java content in the browser” under the Security tab. If Java a user occasionally needs Java, he should at least activate the click-to-play functionality in browsers such as Firefox and Chrome.
The updated editions of Java, JDK and JRE, are available from the Java SE Downloads page.