Java 7u11 now available for download

Release Notes:
Bug Fixes
This release contains fixes for security vulnerabilities. For more information, see Oracle Security Alert for CVE-2013-0422.
http://www.oracle.com/technetwork/topics/security/al...
In addition, the following change has been made:
Area: deploy
Synopsis: Default Security Level Setting Changed to High
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.
http://www.oracle.com/technetwork/java/javase/7u11-r...
http://www.oracle.com/technetwork/java/javase/downlo...

I installed the offline and online package and no firefox plugin. FF is telling me to install the 7u10 plugin which of course fails because its blocked. Done on 3 machines.

yeah its a mess of a situation.

I think having things like blocklists when the new one doesnt work or not available is a big fail, no need for such hand holding.

I got it working by disabling the plugin blocker in about:config then reinstalling the latest java manually. If I just reinstalled the java and left the blocker on it didnt install to firefox, so seems that blocker is blocking the latest java on my machine.

java is heavily used in corporate environments so I think any auto blocking like this is a bad idea.

Thanks for the tip. Funny thing is it has installed in win 8 just not xp.

User security > temporary inconvenience.

major inconveniance when work apps use java.

java is a largely used app, eg. its commonly used for kvm access.

In my line of business I cant simply turn java off.

Also the fact having a version of java installed with a security vuln doesnt automatically mean bam exposed. Thats the problem with baby sitting type security that forces disabling software.

If you have a recent version of Firefox (certainly 18 and up, possibly 17 and up), you will get a red Lego brick at the left of the address bar when navigating to a page that needs Java. Click this and you get a drop down allowing you to activate Java one time or always for the site.

This seems a reasonable balance of security and convenience.


If this is too much hassle, find the XML blocklist in your Firefox profile (I think it's blocklist.xml but haven't checked), edit out the Java entry and make it read only to stop it being overwritten by a fresh copy from the Mozilla servers.

It's common for enterprise to whitelist Java sites at firewall level. This helps prevent infected/hacked sites from serving .jar with malicious payloads to vulnerable versions of Java.

90% of Java exploits are pure drive-by with zero user interaction required.

The "baby sitting" is required because, unlike Windows & Adobe products, Java doesn't have an automatic background update facility and as a result, many users are stuck on old versions of Java.

yes and that works fine for me thats how it works now.

But previously with that blocklist enabled, it blocked install of the latest java (the fixed one). Also firefox itself then would try to download an older version of java.

I cant afford for firefox to periodically disable java, and since I know what I am doing (only let it run when specifically approved) I just disabled the blocklist.