Java 7 Update 13 now available

Oracle just released the February 2013 Critical Patch Update for Java SE. The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation �in the wild� of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities. 44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers). In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets. In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops). Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

https://blogs.oracle.com/security/entry/february_201...

Update now!

Wonder how long before this version gets vulnerable?

I uninstalled java when the problem arose and I haven't found any reason for installing it again - if sites insist on using Java - tough

I would if I had an option but I have work apps requiring it as well as a few custom apps I use which are java based. Also glasnost uses it as well for its tests. What I still find crazy is the installer still doesnt remove old versions.

Edited by Chrysalis (Sat 02-Feb-13 10:57:03)

In reply to a post by Chrysalis:

What I still find crazy is the installer still doesn't remove old versions.

Yes, it does! I've just installed it and every file is dated today.

Years ago it used to keep old versions, but not for a long time has it done so.

Just installed Java 7u13. Keeps asking "Do you want to run this app?" even tho' I ticked "Don't show this again for this app", on XP, for e.g. TBB Speedtest.

Noticed this before with Java 7u11 on Vista but not on XP. Was puzzled by it.

From Java 7 Update 11 onwards, Oracle have changed the default Java security level from Medium to High. This causes a prompt for each applet, with an option to whitelist the site. The idea is that you cannot unwittingly run an app.

If you want to return to the old Medium setting, go into Control Panel, find Java, then lower the slider on the Security tab to Medium.

But why doesn't it obey "Don't ask me again?"? It's a pointless ineffectual Q.

How do you whitelist a site? I see nowt for this.

EDIT: Going Medium defeats object of security update.

Edited by XRaySpeX (Sat 02-Feb-13 15:45:56)

In reply to a post by XRaySpeX:

Just installed Java 7u13. Keeps asking "Do you want to run this app?" even tho' I ticked "Don't show this again for this app", on XP, for e.g. TBB Speedtest.

Noticed this before with Java 7u11 on Vista but not on XP. Was puzzled by it.

Same here. I wonder whether that is connected to me not being able to get beyond the quick download section on the TBB test at which point it freezes? Exactly at the 5% point every time.

In reply to a post by XRaySpeX:

But why doesn't it obey "Don't ask me again?"? It's a pointless ineffectual Q.

How do you whitelist a site? I see nowt for this.

The "Do not show this again for this app" option should whitelist the site. If it doesn't work, that seems about right for Oracle's pathetic QA.

In reply to a post by XRaySpeX:

EDIT: Going Medium defeats object of security update.

That's not true. The higher default security level in Java 7 Update 11 was because Oracle hadn't fully fixed the underlying security issue, also because they felt the overall Java threat environment justified opt-in protection.

In Java 7 Update 13, the security issue in question has, I believe, been fully fixed. If so (the verdict is awaited from the original reporter - he was fairly quick to shoot down Java 7 Update 11), you are fully protected from this issue even if you reset the level to Medium. You do, however, lose the ability to intercept unwanted apps before they run, which may protect you against as yet unknown security issues in Java. If you use something like NoScript in Firefox, where you have to opt in to all forms of active content, this extra protection is arguably unnecessary.


The bigger issue is that Oracle has to get to grips with the exploit potential of Java. Adobe PDF plugins and Flash Player were the historic favourite targets of malware, but Adobe has now sandboxed these plugins to give them restricted privileges (not on Windows XP - they sandboxing code relies on features only found in Vista and up), has given them auto-updating facilities and has become much more responsive to reported security issues. This makes the Adobe plugins much harder to exploit than previously.

Oracle, meanwhile, has not kept up. Java itself is not sandboxed, and its internal sandboxing facilities appear as leaky as a colander considering the number of privilege elevation exploits that have been found. There is no auto-updater and the manual updater is clunky. It's no surprise that the bad guys are increasingly targeting Java.

It seems likely that the response of many people will be to uninstall Java. For now, I'm keeping it on my machines, but none of us use it very much.

Java can be accessed again from XP sp3 32bit Control Panel now, after the update, which seems pretty good - it disappeared from Control Panel after the previous update when I could only access it from C:\Program Files\Common Files.

its worth noting flash is auto sandboxed on chrome and IE, the sandbox feature as far as I am aware was made specifically for mozilla browsers since for whatever reason mozilla wont implement low integrity modes and sandboxing in their browser. When I questioned on mozilla forums (which devs dont respond to but some fanboys do) I was told "its to diffilcult to rewrite firefox to support sperapting processes and priviledge levels, breaks too many plugins etc." suggesting its not going to happen.

Its also worth noting that java is the fashion of the day ultimately every software is vulnerable, but just certian software tends to get picked on from time to time depending on the ease of the exploiting and the takeup of that software (how many have installed), seems java is now the new bully victim.

The best protection for this sort of thing firstly is a default low level priviledge so eg. ideally noone should be browsing as an admin level user, after that sandboxing so the app itself is jailed in a restricted area, and after that whitelisting/approval only modes. These 3 combined with intelligent enough end users would stop exploits pretty much dead. If you cant be bothered srtting up things in such a manner eg. limited user accounts combined with SRP then just browse using a virtual machine and reload the snapshot on the machine every time you boot it up so even if exploited its reset for the new session. Perhaps microsoft should start IE in XP mode (since that uses virtual pc),

Resetting the security level to medium is not a good idea.

"Unsigned Java apps in the browser will run without prompting only if the Java version is considered secure. (The JRE version should be at or above the latest security update release of Java from Oracle.) You will be prompted if an unsigned app requests to run on an old version of Java. To download the latest version of Java"

Nobody wants unsigned java apps to run in the browser without prompting the user, even if Java is at the latest version, because it often takes Oracle forever to fix vulnerabilities. This is why Java is the #1 target.

The high setting is a start. "You will be prompted before any unsigned Java app runs in the browser. If the JRE is below the security baseline, you will be given an option to update."

Java is picked because it has little protection in place and does not have automatic updates. As a result, a lot of the user base fail to update to the latest version when a patch is released. Other vendors have learnt from their mistakes. *cough* Adobe *cough*

Applications have been running with user privileges since Vista. This makes malware removal far easier.

In reply to a post by Zadeks:

Resetting the security level to medium is not a good idea.

It isn't that difficult to get a code signing certificate chained to a root in the Java root bundle (many common roots are not there). In other words, code signing helps, not least because rogue signing certificates can be revoked, but there is an inevitable time lag between a rogue app being published and any signing certificate used being revoked.

A signed app can go beyond the permissions sandbox of unsigned apps.


Nevertheless, I'm in support of the default now being High - as you say, it's best for users to be aware when an unsigned Java app is going to run. Hopefully this will encourage the reputable app publishers to sign their apps.

my point been if the setup itself is secure, updates wont even be needed because existing vulns wouldnt even be effective or work. Updates are always behind 0day.

Also the default account configuration in vista/win7 and win8 is not a jailed restricted user account. IE's default configuration on those OS's is far more secure than firefox. Firefox only becomes reasonably secure after some configuration and 3rd party help such as with things like noscript or sandbox software.

Its possible to put a windows XP SP0 on the internet unpatched and it wouldnt get infected.

Even if the setup is relatively secure, only an idiot would browse the web using an unpatched version of IE. Multiple steps are required to secure a box, and one of them is patching, which is usually at the top of the list, due to its effectiveness. This goes against the advice of the decent security vendors. http://blog.malwarebytes.org/intelligence/2013/01/we...

Bad guys do not waste precious 0day exploits on the average joe. These days, people usually get infected because they failed to patch a vulnerable piece of software. Again, this isn't helped by Java's lack of auto update.

User privileges have been restricted since Vista and this makes malware removal far easier. The Firefox browser is getting more secure, day by day, without the need to complicate the situation for the user by introducing complex add-ons and 3rd party sandbox software.

It "might" not get infected, there are no guarantees in the security world when you are dealing with a ticking time bomb.

Just because your approach works for you, this doesn't mean it'll work for everyone.

I can hear the clock ticking.

Updated today, and am now unable to run anything that uses Jave - including verifying the installation on the Java website. I have uninstalled, and re-installed, but it is not working

Any suggestions?.

Post deleted by Chrysalis

We've seen the odd Java & IE 0day, but you're going to have to backup the 70% figure if you want me to take you seriously.

The silent background Flash updater checks for security updates every 24 hours, and installs the updates silently. A reboot isn't required. http://blogs.adobe.com/spohl/2012/03/30/hello-adobe-...

If there's an exploit in the wild and a vendor releases a patch, it's going to have a huge impact on the malware's ability to spread. This is why we're seeing an increase in the popularity of apps like Secunia CSI & PSI. The AV industry regularly pushes patching advice on their blogs. Mozilla and Google block out of date plugins for the same reason.

Some people disabled UAC, the ignorant ones! In reality, all they had to do was tweak the notification bar a little. Firefox is always targeted, which is why Mozilla continues to push security updates and work on useful features such as automatic blocking of out of date plugins and background updates. FF has a much better security track record than IE, and is more secure because of this.

Sure, some companies might want to vet the odd update. We've seen a lot of the industry move to patching solutions such as Secunia PSI because they've had a lot of success. AV doesn't always protect against old obfuscated Java exploits, patching usually does. A lot of the time, if a company waits too long, they'll get 0wned. I'd rather experience a little stress after ironing out a couple of user complaints, than the stress of clearing up a huge malware infection because I wanted too long to patch my network.

I deleted my post because I am not going down the same path as the other thread.

In reply to a post by Zadeks:

Again, this isn't helped by Java's lack of auto update.

But Java does have auto update, doesn't it?

http://www.java.com/en/download/help/java_update.xml

No. Jusched is an update notification utility.

Years ago it used to keep old versions, but not for a long time has it done so.

Only today I removed about 10 previous versions of Java from a PC after installing the latest update. They were all hanging out in Add/Remove programs.

Were they all Java 6?

I seem to remember that I did that manually on each new update of Java 6, but didn't need to once Java 7 came.

In the Java control panel there is an option to have updates downloaded automatically and then be notified about it before installing the Java update, no unknown auto install of an update.

I have had that enabled for ages and on my system it doesnt work 90% of the time, eg. it has yet to notify me of update 13, but it does notify me if I try to run a web java app.

This is the issue. It's far too manual.

Same here but I do remember some time in the past it did used to flag up there was a new update available but goodness knows which version allowed that to work.

Now you mention it, Java 6 was always there, Java 7 removes the older versions

Were they all Java 6?

Probably, and earlier.

http://java.net/downloads/jugs/Jan24_JUGLeaderCall.mp3 is worth a listen

Edited by yarwell (Fri 08-Feb-13 20:52:43)

Can anyone explain to me, why i can't use the Think Broadband speed checker . i keep getting asked to install Java, but I've just installed the latest update and i'm getting nowhere

I am using the latest and it works for me.

I would suggest a few things.

go to www.java.com and use the option to check what version you have. Is it the latest?

remove all java from the pc, reboot and then re-install

If that does not work, then part of the settings in the registry are then corrupt. Look for a java remove tool on the web. e.g. remove all java from the pc, run java remove tool, reboot and then re-install