Figure 3. Dialog generated by JVM prompting the user to allow a self-signed applet to launch
By default, self-signed and invalid certificates will cause Java to prompt users before launching these full-access applets. Users are also prompted for applets with valid certificates if the check box on the Advanced tab of the Java Control Panel, under Secure Execution Environment called "Show site certificate from server even if it is valid" is checked. This option will cause Java to show the certificate information and allow the user to decide whether to run the applet or not.
Figure 4. Advanced tab in the Java Control Panel
Java version 7u25 allows the user to check the certificate to ensure it has not been revoked. Both Certificate Revoation Lists (CRL) and online Certificate Status Protocol (OCSP) may be used. These settings can be tuned under the Java Control Panel. In addition, version 7u25 has a More Information link used for pop-ups to allow the user to get more information about the dialog box.
Each browser has its own method of managing add-ons, but the simplest way to determine the version and test your browser's Java interaction is to use Oracle's unsigned Java applet, which will display your installed version and tell you if it is current. Browsing to Oracle's unsigned Java applet and clicking on the Verify Java version button, the site will attempt to load a Java applet and display the version of Java used to load it.
For corporate installations where egress traffic can be monitored, the active Java install base can be determined by watching the User-Agent headers at network choke points, such as a proxy, firewall, or router. By monitoring web requests and extracting the User-Agent header information, you can get a view into the Java versions currently in use on the network. A typical User-Agent string would look like:
Mozilla/4.0 (Windows 7 6.1) Java/1.7.0_15
The above clearly shows the version of Java making the request and the operating system it is installed on.
Each browser has its own way of managing plugins, and the following list shows how to access the installed plugins from some popular modern browsers.
Before updating, be sure to close all browsers to ensure that the latest Java environment will be used. Oracle recommends removing prior versions of Java when manually installing newer versions . Automatic updates can be configured to notify the user there is a new version available and to automatically install it, which will replace previous versions . However, at the time of this publication, Java 1.7_17 does not support Automatic Updates for the 64-bit version .
To start the manual update process, just direct your browser to http://java.com/getjava
Modern firewall products can provide context-aware filtering that can add extra security against Java-based exploits. An example includes Cisco ScanSafe , which can scan Java applets using various data sources and protect against known and new Java-based attacks. Cisco IronPort  products can also be used to enable network administrators the ability to block Java MIME types, which can protect internal users that could be using insecure Java applets.
Java's support for multiple operating systems, browsers, and hardware has made it a significant target for attacks. Fortunately, beginning with Java version 1.7_11, Oracle has made changes to prevent automatically running unsigned applets. There also exist several other possible mitigations which can be used to protect against attacks.
Training is still an important aspect to any security measure, as these new roadblocks can be overcome with the right enticement to the end-user.
Gregg Conklin (email@example.com)
The RedMonk Programming Language Rankings: September 2012
TIOBE Programming Community Index for March 2013
How do I disable Java in my web browser?
Setting the Security Level of the Java Client
Why should I uninstall older versions of Java from my system?
What is Java Auto Update? How do I change notify settings?
Cisco Cloud Web Security
Cisco IronPort AsyncOS 7.5 for Web User Guide
6492837: 64bit: Auto-update
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.