Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Java 7 Officially Released

Published: 2011-09-05
Last Updated: 2011-09-05 13:44:59 UTC
by Raul Siles (Version: 2)
3 comment(s)

Oracle officially released Java 7, including some security updates and several new features and enhancements. Thanks ISC reader Alex for notifying us about it.

The new Java 7 version coexists with the latest Java 6 Update 27 version and is available for download from the Oracle web site, http://www.oracle.com/technetwork/java/index.html, and still makes use of different installers for the 32 and 64-bit versions for all operating systems (Linux, Solaris & Windows).

As you can see in the release notes, the main security enhancements affect the JSSE (Java Secure Socket Extension) and TLS communications, including TLS v1.1 and v1.2 as well as Server Name Indication (SNI) support.

Java 7 does not remove any previous Java versions; I guess this is the intended behavior as this is a major release. From a security perspective, if Java 7 is installed (using Windows as the sample platform) on a system that already has Java 6 installed, both versions will remain, so if you only want to run the latest version, ensure you uninstall any previous versions (as we had to do in the past but with the same major release) and do not leave vulnerable Java 6 releases around.

Considering Java is one of the most targeted pieces of client software today, be ready for future updates on both, Java 6 and Java 7 in your IT environments (perhaps Java 6u28 and Java 7u1), and plan in advance how to manage them.

UPDATE 1: Let's clarify this diary post title a little bit based on txISO comment (thanks!). If you consider Java to be officially released only when it is available at java.com, then Java has not been officially released yet (see quote on 3rd comment below). However, if you consider that Java 7 is available out there, not only in its JDK version (what I consider the version for developers), but the JRE (Java Runtime Environment) version too, then IMHO, it has been released - although only at oracle.com. Besides that, if you are old Java school and go to the old java.sun.com, you will be redirected to the oracle.com page where Java 7 is available to the public. For our ISC audience, officially or not, get ready for Java 7 as soon as possible: it is out there :)

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

Keywords: java Java Update
3 comment(s)
Diary Archives