Unsigned Java applets hit by security update
Oracle are pushing Java applet developers to sign their code ahead of next week’s security update. Java SE 7 Update 21, due April 16, will alert users if they attempt to run unsigned code in the browser.
The move comes as the latest attempt to protect end users from rampant zero-day exploits, which, though unsigned, often manage to break out of their sandbox. With an army of malware writers finding new holes in Java every week, Oracle has turned to imposing increasingly stringent security measures.
An Internet Explorer-style security scale was introduced to the Java Control Panel at the end of last year, and later set to ‘High’ by default. Update 21 will take this a step further by warning users if they attempt to run a non-signed Java applet.
According to an Oracle FAQ, the exact warning shown to the user will depend on a range of factors, such as which privileges the code requests and whether it is above or below the security baseline.
In addition, next week’s update will remove the “low” and “custom” security options from the control panel.
The documentation stresses that while none of these changes should break existing applets, “future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications”.
Certificates must be purchased from “Trusted Certificate Authorities”, and are only valid for a certain period. Self-signing is recommended only for “developer and intranet applications as it also requires managing the keystore for Java”.
There are plenty of certificate-signing authorities, usually starting at around $100 per year, and generating your own self-signed certificate is relatively easy to do using the JDK’s builtin keytool.
However, it remains to be seen whether this change will genuinely protect the number of zero-day exploits emerging - or merely inconvenience developers.