JRE 1.7 Vulnerability

Question

Today, our Enterprise Architect mentioned that a recent vulnerability was discovered in the JRE 1.7. I found an article the JRE 1.7 vulnerability recommending disabling Java.

I am running JDK 1.5 and 1.6 at work (like many organizations, we're not on the latest of technologies), so no problems there.

At home I am doing development with Java SE 7u6. I'm playing with Grails, Spring Security, trying to keep learning.

I have already gone and disabled the Java Plug-in in all my browsers on my home development machine. However, does anyone know if my home dev machine is still vulnerable by virtue of having the JDK 7 installed? I did find this article on US-CERT declaring the vulnerability notice: Oracle Java JRE 1.7 Expression.execute() fails to restrict access to privileged code.

It sounded like as long as the browser is not able to run Applets, I should be fine (it should not with the Java Plug-in disabled). However, what about Java Web Start/JNLP? Could that get invoked? That's the only other thing I could think of, other than Applets, that might be of concern.

Just wondering if I need to go through the efforts of uninstalling my Java SE 7 and dropping back to a JDK6.

What have others done upon learning of this security issue with JRE 1.7?

Answer 1

The details of the latest vulnerability have not been made public. However, my understanding is that it only affects Java browser plugins. The recommended mitigation is to disable the Java browser plugins. No mention is made of non-plugin Java, so I think it is safe to assume that your dev machine is not vulnerable simply by virtue of having Java 7 installed.

However, what about Java Web Start/JNLP? Could that get invoked?

I don't think so. I think it is safe to assume that the people who found the problem would have thought of that potential attack vector. (But simple common sense says that you wouldn't want to be launching random JNLP programs in the first place ...)