Java 7u11 now available for download

Release Notes:
Bug Fixes
This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422.
http://www.oracle.com/technetwork/topics/security/al...
In addition, the following change has been made:
Area: deploy
Synopsis: Default Security Level Setting Changed to High
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.
http://www.oracle.com/technetwork/java/javase/7u11-r...
http://www.oracle.com/technetwork/java/javase/downlo...

I installed the offline and online package and no firefox plugin. FF is telling me to install the 7u10 plugin which of course fails because its blocked. Done on 3 machines.

yeah its a mess of a situation.

I think having things like blocklists when the new one doesnt work or not available is a big fail, no need for such hand holding.

I got it working by disabling the plugin blocker in about:config then reinstalling the latest java manually. If I just reinstalled the java and left the blocker on it didnt install to firefox, so seems that blocker is blocking the latest java on my machine.

java is heavily used in corporate environments so I think any auto blocking like this is a bad idea.

Thanks for the tip. Funny thing is it has installed in win 8 just not xp.

User security > temporary inconvenience.

major inconveniance when work apps use java.

java is a largely used app, eg. its commonly used for kvm access.

In my line of business I cant simply turn java off.

Also the fact having a version of java installed with a security vuln doesnt automatically mean bam exposed. Thats the problem with baby sitting type security that forces disabling software.

If you have a recent version of Firefox (certainly 18 and up, possibly 17 and up), you will get a red Lego brick at the left of the address bar when navigating to a page that needs Java. Click this and you get a drop down allowing you to activate Java one time or always for the site.

This seems a reasonable balance of security and convenience.


If this is too much hassle, find the XML blocklist in your Firefox profile (I think it's blocklist.xml but haven't checked), edit out the Java entry and make it read only to stop it being overwritten by a fresh copy from the Mozilla servers.

It's common for enterprise to whitelist Java sites at firewall level. This helps prevent infected/hacked sites from serving .jar with malicious payloads to vulnerable versions of Java.

90% of Java exploits are pure drive-by with zero user interaction required.

The "baby sitting" is required because, unlike Windows & Adobe products, Java doesn't have an automatic background update facility and as a result, many users are stuck on old versions of Java.

yes and that works fine for me thats how it works now.

But previously with that blocklist enabled, it blocked install of the latest java (the fixed one). Also firefox itself then would try to download an older version of java.

I cant afford for firefox to periodically disable java, and since I know what I am doing (only let it run when specifically approved) I just disabled the blocklist.

thats fine, thats very different to blocking java in the entire browser.

I also whitelist java on approved sites in all my browsers.

The whitelisting is for extra control. I'm still very much in favour of blocking vulnerable plug-ins. If anything, it encourages users to update to the latest version if they're presented with the appropriate option.

did you read I did update?

whitelisting is by far the best solution but I suspect its considered "too complex" for the average user so a holding the hand approch with auto blocking was considered better.

At the very least if I developed such a mechanism I would.

(a) not auto block old software until a new version is available
(b) when auto blocking ensure an easy upgrade path is presented to the user that works.
(c) not auto block the new fixed version, oops.

a) would be careless. they're blocking it to protect users.
b) I agree.
c) Indeed. Big Firefox fail. No issues in Chrome.

Edited by Zadeks (Mon 28-Jan-13 20:45:44)

In reply to a post by Chrysalis:

(c) not auto block the new fixed version, oops.

The fix in 7u11 is reported to be incomplete and ineffective by the person who found the original issue. There was a lot of debate in Mozilla bugzilla about blocking 7u11, but it was decided that the lowest level of blocking (click to activate with a warning) was appropriate under the circumstances.

If you disagree with the blocking, you can always manually edit the blocklist in your profile and make it read only to prevent further downloads from the Mozilla servers.

I actually think what they did was careless, it assumes.

(a) they always know better than their end users, akin to a parent looking after his/her toddler.
(b) noone is reliant on java for something critical so can do without it.

It took me all of 2 mins to think of something better.

eg. if a blacklisted plugin was blocked all is needed is a prompt to tell the end user its blocked and why (instead of silently making it not work) and then allow the user to overide the block should they need to.

Edited by Chrysalis (Mon 28-Jan-13 23:15:17)

I didnt get a click to activate prompt, it simply wouldnt appear in the plugin list and wasnt useable at all.

any java link simply showed it as not available and there was no prompt to allow for that 7u11 on this machine in my firefox was blocked 100%. if that wasnt their intention then I guess was a bug, but still it lost me a lot of valuable time diagnosing it and getting it to work again.

The read only idea seems viable something I will consider.

Edited by Chrysalis (Mon 28-Jan-13 23:11:38)

a) A lot of the time they do. This is backed up by the fact that a very small percentage of users upgrade to the latest version of Java. The majority of endusers are clueless and need their hand holding. This includes a lot of sysadmins.
b) It's time to ditch Java and replace it with something else, just like they have done with the BT speed test.

The block shouldn't be too easy to override, otherwise, users will just click the most obvious option and the block will become useless.

and it also shouldnt be too hard, as in my case I ended up disabling it.

never take control away from the end user, a big no no in software which more and more devs seem to fail to understand.

remember the end user always has the control to stop using the software.

You're the exception. This is in-place to protect the average joe. Fewer and fewer web apps are using Java, so it's becoming less of an inconvenience. Most of the time it is bundled or required by a game such as Minecraft. It's far easier to overcome a temporary block than it is to clean up a nasty infection.

Since installing this, for IE8, I've noticed numerous locked files of the form REGxx.TMP, mostly of zero length, in the Win TEMP folder, that were never there before. Upon investigation they are being locked by IE8 and, after unlocking, the latest one contains:

Latest JRE version: 1.7.0_11

Is Java forming them & why?

I think if a user was clueless then they probably wouldnt be using Firefox in the first place and just stick to the default of IE.

and banger is also I assume.

Are you really condoning silently blocking the app? the same sort of behaviour as what the IWF do.

If someone has java installed, then its probably for a reason. Most people wont even have java installed, but obviously if someone has it installed then they probably have an app that needs it.

I am not an exception, corporate remote management of servers 90% of the software is web java based. But then again I guess this is why firefox isnt used too much in corp environments as its developed for the residential desktop user in mind and now copying the chrome mindset of dumbing down the app.

eg. would you like it if windows blocked firefox and chrome silently everytime they had a open vuln? microsoft would get sued for anti competitive behaviour

yep.

The really dumbed down users will be on IE (maybe another browser if supplied with OEM setup).
Next slightly dumb user probably be using chrome, as chrome is bundled with tons of apps and has download links splattered in various places including the google home page. chrome was designed dumbed down from the start.
Firefox traditionally has been used by power users, is highly tweakable as a result but lately the devs have gone into a panic and started blindly copying chrome policies such as the rapid updates, silent upgrades, silent blocking and also they have started to remove tunables under the pretence the dev knows better.

Blocking a vulnerable plug-in to protect users is a little different to blocking an entire IP address (maybe even more than just a single address).

Like I said earlier, Java is often bundled with other applications, even if the application doesn't require it. Oracle receive money from the Ask Toolbar that is bundled with Java (opt-in by default). When people install Java because they want to play Minecraft & use Openoffice, they do not need the web plug-in.

We manage a few hundred servers, none of the remote access solutions require Java. Alternatives do exist, no need to use nasty Java dependant solutions such as GotoAssist.

Not sure why you're picking on Chrome. It's a flexible browser and added advanced features such as click-to-play plug-in mode, automatic background updates and auto-block of out-of-date way before Firefox.

Microsoft would probably block their own browser before Chrome & FF, since IE has had the most activate zero-days, with FF in second. http://krebsonsecurity.com/2012/10/in-a-zero-day-wor...

I manage over 400 servers, all of these have a built in remote kvm functions, 70-80% of these servers requires java to use and they not all the same vendor either, some are HP, some are different and some also use a 3rd party kvm device.

I picked on chrome as I see rapid updates, automatic background updating and auto silently block out of date pkugins as bad features, chrome also isnt very tunable (unless I am missing something) eg. cant tune the connection limits, timeouts, keepalive etc. Its hard to even install it to a non standard location, use a ramdisk for temp files and so on. In that respect its a very dumbed down app compared to firefox, after chrome started getting a good userbase firefox dev's have very clearly been copying it on policies, and I consider firefox to have gone downhill since then.

The latest java even on IE now needs click approval, IE supports click to play by itself as well (just not enabled by default) by removing the * from approved sites, then that will generate a prompt for every site not yet approved, as well as IE10 on windows 8 supporting a higher security mode.

There is security and then there is going too far silently blocking apps that can be crucial without warning and then with no working upgrade/workaround path in place is just silly and it shows that firefox devs have lost touch with their userbase. If you googled the issue you will find dozens and dozens of hits of people making posts on various sites complaining of the same issue, its one of those things where they scared of some bad PR so took draconian measures.

You of all people should know security is a layered approach, just because someone might have a slightly vulnerable piece in place it doesnt mean they are then suddenly likely to get compromised.

Edited by Chrysalis (Wed 30-Jan-13 18:21:39)

KVM management is an incredibly small percentage of the Java market. As web technologies progress, the industry will move away from Java. Here is a good example, http://yle.fi/uutiset/danske_bank_plans_new_java-fre...

If the industry were to follow your line of thinking regarding browser security, we would be in a very bad place. Microsoft, Google & Mozilla all have a similar vision and are implementing worthwhile security features. Chrome has been a market leader in terms of security for sometime, which is why Mozilla is playing catchup. You should probably use an old version of Linux & Firefox, if you want an insecure environment.

The Chrome UI is kept simple to make it user-friendly, but it is still considerably tweakable under the hood. As always, Google is your friend.

The recent security changes to Java is a step in the right direction, but it desperately lacks automatic background update. Users are click happy and will always click OK, Accept, Run, etc.

It is better to inconvenience an incredibly small amount of the userbase, while protecting the majority at the same time.

Java has always been massively vulnerable because there are so many out-of-date installations of it in the wild that do not have the latest security features introduced by Oracle. This is why it is targeted by the bad guys. Java accounted for 50 percent of all cyberattacks last year, according to Kaspersky. This is not a slightly vulnerable piece of software. http://www.kaspersky.com/about/news/virus/2012/Oracl...

Edited by Zadeks (Wed 30-Jan-13 19:05:39)

Well got caught by Exploit:JS/Blacole.kh today. Even though picked up by Antivirus and cleaned. Restart brought up new Rundll.exe on restart
Not worth risk, reinstalled from backup.
Funny but Adaware showing site as safe.

Keep your system patched. AV is useless. Secunia PSI is your friend.

http://www.microsoft.com/security/portal/threat/ency...

Typically, the Blackhole exploit kit attempts to exploit vulnerabilities in applications such as Oracle Java, Sun Java, Adobe Acrobat and Adobe Reader

may have got it from other places than Java exploit

dont assume I didnt google. Because I did and all I found was many complaining of the same thing the lack of control over the app. Chrome has its good points, but the down points currently make it unviable for me to use.

How do you know its a incredibly small amount of the userbase? How do you know people blindly click yes on security warnings? you dont.

googling the issue I found over 300 people complaining in a 10 minute search. You might say well millions use the app of course, but the majority affected since its a silent block wouldnt have a clue of whats going on.

Serving a so called dumb majority firefox is copying chrome, power user apps dont serve dumb majorities.

For your information firefox itself has more vulnerabilities against it than java. Same with internet explorer. All 3 apps have issues, nothing new there.

In this case a automatic background check wouldnt have fixed anything as firefox I repeat blocked the latest version.

If you want 100% security then disconnect the internet cable and lock the machine away in a vault. As I said before if software vendors use draconian methods to try and lock down software its counter productive because often the end user as a counter measure disables that protection, eg. people commonly disabled UAC on vista as it was over intrusive, and I (and others) disabled firefox plugin protection.

Whats funny is firefox doesnt block 2 year old flash versions. But blocks a 1 week old java version.

and yes I agree java is dieing but since the software is attached to no longer updated kvm kit, the devices I use will be java based forever until the hardware is replaced.

Also dont believe my browser is insecure, you assume wrong again I dont care. The difference is tho I also hold value to end user control and useability.

Microsoft dont automatically disable old versions of plugins. What they are moving towards is running plugins inside secure containers that dont have elevated permissions. Thats a much tidier solution than what mozilla have implemented. In fact firefox doesnt even have non elevation or built in sandboxing yet. Adobe had to make a special sandbox feature in flash to account for the firefox state.

--edit--

I can confirm now when trying to run a java web based app a prompt now pops up saying its out of date with an update button.

Edited by Chrysalis (Sat 02-Feb-13 11:37:06)

If there were a huge demand for features, they would be added to Chrome. In reality, the demand is tiny.

KVM is a niche market. It isn't as wide spread as something like Open Office. If you look at blackhole exploit kit statistics, you will find that Chrome users are just as likely to be exploited by a Java exploit, even when Chrome asks its users if they want to run Java. Users will often blindly click yes, just to get rid of notifications. They're used to being told the same thing by IT departments.

Click-to-play and plug-in blocking are new technologies, and will improve over time. It's never a smooth transition going from an insecure to secure environment. It took a while for people to get used to UAC after it was introduced in Vista.

In the wild exploits are more important than reported vulnerabilities. Chrome has vulnerabilities reported on a daily basis, this doesn't mean they're being exploited in the wild and put users at risk. Regular update ensure that users are protected.

Automatic background updates help to protect users. It's down to Firefox to sort out the plug-in white listing.

These steps are necessary because Oracle is lagging behind the competition. The majority of users won't notice a thing as more and more companies introduce automatic background updates. These features will improve over time, UAC is a good example of this.

Microsoft is always lagging behind the competition when it comes to security features, no surprise there. Adobe took advantage of plugin-container when they were working on the Flash sandbox. http://blogs.adobe.com/asset/2012/06/inside-flash-pl... -

IE has finally taken responsibility for Flash in the latest version and the new features in IE10 and Win8 are nice, but this doesn't help users stuck on older versions of the OS and browser. No wonder people are dropping IE!

Edited by Zadeks (Sat 02-Feb-13 12:40:19)

I am aware chrome is for the mass consumer market, which is why I dont like it. Not sure why we debating that plus its off topic.

I also have no issue with click to play.

No issue with whitelists.

I personally know noone who blindly clicks yes, my sister rings me up with aheart attack everytime it happens, my dad says no and emails me with screenshots. So whilst some people may blindly click yes not everyone does it, we cant handhold everyone , if people get infected tough.

Using firefox in its default state I wouldnt say is secure. Doing silly things like this isnt necessarily more secure either, patching software to close "fixed reported vulns" is just a small piece of the jigsaw.

By the way one reason I dont use chrome is the automatic background updates, and I disable it on firefox, am I an idiot for doing that and insecure? Since I heavily use my browser I have to test every new version, if it breaks something important then it doesnt get updated until I have a workaround or firefox themselves fix.

Network administrators in companies will often run outdated software for the reason they cant run incompatible apps, but it doesnt make them insecure, as they will lockdown systems in other ways to prevent successful exploitations. Patching is just part of the process.

Seems your idea is unless something is in widespread use it can be routinely made unusable (broken) and doesnt matter. This attitude is why users routinely disable security features which probably frustrates developers wondering why users do it. Since we going in circles I am stopping here.

To remind you on this final post, I wouldnt have had a real issue with it if there was a simple way to overide it and the app told me why the plugin wasnt working (instead of been sly about it and been silent), I would have just temporarily overriden for java and kept the blacklist function turned on.

Regarding automatic updates, the reason I dont approve silent updates is chrome and firefox are now merging security updates with feature updates, meaning one has to accept automatic feature updates which can easily introduce bugs, remove useability and break addons, features. If they had just automated security updates only but required human approval for feature updates I expect there would be much less hostility to it like people accepting automativ a/v updates.

So I am out of this thread now.

The point is that infection can be prevented through the use of white listing, click to play, automatic background updates, etc. We don't let people get infected just because they aren't technically minded.

i'm a Chrome power user and I've never experienced a bad update. You should probably look at another browser if FF really is as bad as you make it out to be. Maybe you're just a tad paranoid.

Running out of date software is insecure. Companies might attempt to lock down systems but in reality this usually just consists of installing anti-virus on the end points, which is why we see so many companies getting 0wned on a weekly basis.

Patching is an incredibly important part of the process. We've already started rolling out Secunia CSI because it makes management of Java & Adobe products so much easier.

You have Oracle to blame for the disabled plug-in. You wouldn't have to wait as long if they patched vulnerabilities quickly.

FF does tell users when and why plug-ins are blocked. Maybe you should direct your feedback at Mozilla.

Plenty of browser choice, feel free to jump ship if you don't like it. No sign of a mass exodus, seems most people couldn't give a damn.

so I am still here, browser choice is actually not great when they all copying each other especially firefox now starting to copy chrome. I have mad emy choice and firefox sadly is the best of a bad bunch.

Also one reason people arent educated is they are misinformed that as long as they have an a/v and update their software they are safe. Your message just reinforces that misleading message. Patched software is still vuln, just the vulns havent been disclosed yet.

Now i really need to get away from this thread as its sucking up my time.

The main misinformation is that AV keeps people safe. AV is snake oil, almost as bad as malware, because they use scaretatics to push it. The price of AV has dropped over the years because people are becoming wiser. Protecting against old threats is no good because it is so easy to obfuscate existing exploits.

If all software were kept up to date automatically, people would be far safer. The bad guys are still exploiting vulnerabilities that were patched years ago, just because people don't keep their systems up to date. Patched software is still vulnerable to what? Undiscovered vulnerabilities?

The bad guys don't waste 0day exploits on regular users when they can sell them for 100k to governments and other cyber criminals. They will often reverse engineer software patches and incorporate the exploit into their kits, sometime after the vendor has released a patch. There is nothing misleading about encouraging people to keep their systems up to date. It is free, doesn't hog system resources and takes little time. Secunia PSI FTW.

In reply to a post by Zadeks:

Plenty of browser choice, feel free to jump ship if you don't like it. No sign of a mass exodus, seems most people couldn't give a damn.

There are little differences between some, and it may be down to personal preference, but for example, I could never use Opera, as it doesn't do what I want.

Soon Chrome will be over the 50% share of the browser market in some website measuring data:

http://www.w3schools.com/browsers/browsers_stats.asp

Not because it's inherently better, but because it is better marketed. How else could it make such strides since its inception, if FF took far longer, and IE retained its grip for so long? We all agree there was a point that FF was the major competition to IE and it was a far better browser for standards, security and features?

So it takes around five years to overtake IE, while Chrome, a decent browser, but by no means head and shoulders above FF in the way it is to IE takes the big share in less than four years. Big company marketing, coupled with toolbars, add-ons and then browsers. If it's not the google toolbar, it's the yahoo toolbar.

No one has ever asked me to install a FF or Opera toolbar, and that will probably be why Chrome is now the top dog. Remember that. Marketing; not superior product (by that I mean I remain unconvinced that there's much difference between Chrome, FF and Opera for the user who has never used any of them...we all find the browser we prefer).

If we're talking pure HTML5 tests, Maxthon leads the way, and while Opera out scores FF, I find Opera lacking for me from time to time in usability. Safari is pretty much along the same lines in that sometimes it seems just the same, other times it's not so good (for me).

i'm a Chrome power user and I've never experienced a bad update.

Not sure the date of this, but it is probably in the '93-'95 era. I wonder how much has changed?

http://www.gnu.org/fun/jokes/power.users.html

I've seen bad updates for a multitude of products. It doesn't make the product bad. It just makes the update bad.