Java finally gets a whitelisting feature
Posted on 13 September 2013.
The latest Java Development Kit update (JDK 7u40) includes a number of bug fixes, new security features and changes, and among them is one that has been long overdue: a whitelisting option for protecting endpoints.

"The Deployment Rule Set feature is for enterprises that manage their Java desktop environment directly, and provides a way for enterprises to continue using legacy business applications in an environment of ever-tightening Java applet and Java Web Start application security policies," it is explained in the documentation for the feature.

This feature enables an enterprise to establish a whitelist of known Java Web applications, and those on the whitelist can be run without most security prompts.

For it to work, the new Java Plug-in (available since Java SE 6 Update 10) is required on the endpoints, but also Java 7u40 (the latest version), which will be used to create the rules that will then work for the older version.

The feature has been introduced to help companies that can't upgrade to the latest Java version and can't disable the Java plug-in protect its employees.

The rule set is created via a XML file and will be required to be digitally signed with a valid digital certificate issued by a trusted certificate authority.

"The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment. If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java," the instructions conclude.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th