Software-update: Oracle Java 7 update 45

Oracle heeft update 45 voor versie 7.0 van zowel de developmentkit als de runtime-environment van Java Standard Edition uitgebracht. Het gaat om een reguliere en geplande update, die een aantal beveiligingsproblemen moet verhelpen. Daarnaast is er een wijziging gemaakt betreffende de werking van de tijd en datum. Hier zal nu een uitzondering voor worden gegeven als deze aangeroepen wordt door code die niet de juiste permissies heeft. Ook is er een waarschuwing toegevoegd als webpagina's LiveConnect-calls aanroepen in een RIA zonder juist te zijn ondertekend of geconfigureerd.

Java SE 7 Update 45 Changes

New Date/Time Capability

The java.util.TimeZone.setDefault(TimeZone) method has been changed to throw aSecurityException if the method is called by any code with which the security manager'scheckPermission call denies PropertyPermission("user.timezone", "write"). The new system property jdk.util.TimeZone.allowSetDefault (a boolean) is provided so that the compatible behavior can be enabled. The property will be evaluated only once when thejava.util.TimeZone class is loaded and initialized.

Security Changes

LiveConnect

This release introduces a new warning when web pages initiate LiveConnect calls into an RIA without being properly signed/configured. Planned for the future, Java SE 7 Upate 51, January 2014 will introduce a requirement that all RIAs distributed publicly be signed by a valid certificate and contain a new Permissions attribute. These changes only affect Applet & Web Start applications (Rich Internet Applications). They do not affect other areas, such as: server-side, embedded, or client. Read more in the blog LiveConnect changes in 7u45.

Protections Against Unauthorized Redistribution of Java Applications

Starting with 7u45, application developers can specify new JAR manifest file attributes:

Application-Name: This attribute provides a secure title for your RIA.

Caller-Allowable-Codebase: This attribute specifies the codebase/locations from which JavaScript is allowed to call Applet classes.

JavaScript to Java calls will be allowed without any security dialog prompt only if:

• JAR is signed by a trusted CA, has the Caller-Allowable-Codebase manifest entry and JavaScript runs on the domain that matches it.
• JAR is unsigned and JavaScript calls happens from the same domain as the JAR location.

The JavaScript to Java (LiveConnect) security dialog prompt is shown once per AppletclassLoader instance.

Application-Library-Allowable-Codebase: If the JNLP file or HTML page is in a different location than the JAR file, the Application-Library-Allowable-Codebase attribute identifies the locations from which your RIA can be expected to be started.

If the attribute is not present or if the attribute and location do not match, then the location of the JNLP file or HTML page is displayed in the security prompt shown to the user.

Note that the RIA can still be started in any of the above cases.

Developers can refer to JAR File Manifest Attributes for more information.

Restore Security Prompts

A new button is available in the Java Control Panel (JCP) to clear previously remembered trust decisions. A trust decision occurs when the user has selected the Do not show this again option in a security prompt. To show prompts that were previously hidden, click Restore Security Prompts. When asked to confirm the selection, click Restore All. The next time an application is started, the security prompt for that application is shown.

See Restore Security Prompts under the Security section of the Java Control Panel.

JAXP Changes

Starting from JDK 7u45, the following new processing limits are added to the JAXPFEATURE_SECURE_PROCESSING feature.

• totalEntitySizeLimit
• maxGeneralEntitySizeLimit
• maxParameterEntitySizeLimit

For more information, see the new Processing Limits lesson in the JAXP Tutorial.