Software Update: Oracle Java 7 Update 45

Spread the love

Oracle has released update 45 for version 7.0 of both the Java Standard Edition development kit and runtime environment. This is a regular and planned update, which should fix a number of security vulnerabilities. In addition, a change has been made regarding the operation of the time and date. An exception will now be thrown for this if it is called by code that does not have the correct permissions. Also added a warning if web pages call LiveConnect calls in a RIA without being properly signed or configured.

Java SE 7 Update 45 Changes

New Date/Time Capability

The java.util.TimeZone.setDefault(TimeZone) method has been changed to throw aSecurityException if the method is called by any code with which the security manager’scheckPermission call denies PropertyPermission(“user.timezone”, “write”). The new system property jdk.util.TimeZone.allowSetDefault (a boolean) is provided so that the compatible behavior can be enabled. The property will be evaluated only once when thejava.util.TimeZone class is loaded and initialized.

Security Changes

LiveConnect

This release introduces a new warning when web pages initiate LiveConnect calls into an RIA without being properly signed/configured. Planned for the future, Java SE 7 Upate 51, January 2014 will introduce a requirement that all RIAs distributed publicly be signed by a valid certificate and contain a new Permissions attribute. These changes only affect Applet & Web Start applications (Rich Internet Applications). They do not affect other areas, such as: server-side, embedded, or client. Read more in the blog LiveConnect changes in 7h45.

Protections Against Unauthorized Redistribution of Java Applications

Starting with 7u45, application developers can specify new JAR manifest file attributes:

Application-Name: This attribute provides a secure title for your RIA.

Caller-Allowable-Codebase: This attribute specifies the codebase/locations from which JavaScript is allowed to call Applet classes.

JavaScript to Java calls will be allowed without any security dialog prompt only if:

  • JAR is signed by a trusted CA, has the Caller-Allowable-Codebase manifest entry and JavaScript runs on the domain that matches it.
  • JAR is unsigned and JavaScript calls happens from the same domain as the JAR location.

The JavaScript to Java (LiveConnect) security dialog prompt is shown once per AppletclassLoader instance.

Application-Library-Allowable-Codebase: If the JNLP file or HTML page is in a different location than the JAR file, the Application-Library-Allowable-Codebase attribute identifies the locations from which your RIA can be expected to be started.

If the attribute is not present or if the attribute and location do not match, then the location of the JNLP file or HTML page is displayed in the security prompt shown to the user.

Note that the RIA can still be started in any of the above cases.

Developers can refer to JAR File Manifest Attributes for more information.

Restore Security Prompts

A new button is available in the Java Control Panel (JCP) to clear previously remembered trust decisions. A trust decision occurs when the user has selected the Don’t show this again option in a security prompt. To show prompts that were previously hidden, click Restore Security Prompts. When asked to confirm the selection, click Restore All. The next time an application is started, the security prompt for that application is shown.

see Restore Security Prompts under the Security section of the Java Control Panel.

JAXP Changes

Starting from JDK 7u45, the following new processing limits are added to the JAXPFEATURE_SECURE_PROCESSING feature.

  • totalEntitySizeLimit
  • maxGeneralEntitySizeLimit
  • maxParameterEntitySizeLimit

For more information, see the new Processing Limits lesson in the JAXP Tutorial.

Version number 7 update 45
Release status Final
Operating systems Windows 7, Windows 7 x64, Java, macOS, Solaris, Windows Server 2008, Windows Server 2012
Website Oracle
Download http://java.com/en/download/manual.jsp
License type Freeware
You might also like