Java Plug-In launch changes in response to the recent security vulnerability

Question

How has Oracle changed the Java Plug-In launch experience for the user, in response to the recent security vulnerability?

Details

• The JRE 1.7 Vulnerability Q&A at SO.
• Oracle Security Alert for CVE-2013-0422
• Disabled Java warning appearance & affect on Java Web Start apps

Answer 1

Short answer

All applets, trusted or sand-boxed, are now prompted (the user is asked permission) before loading.

Long answer

Here I am testing using Oracle's own Test Java applet. It was chosen on the basis that it is relatively small, sand-boxed and provided by the maker of the same JRE/Plug-In we are testing.

This morning I was offered the chance to upgrade Java 1.7.0_11 to 1.7.0_13.

While the security vulnerability was fixed in 1.7.0_11, FF & Chrome were still showing the warnings as seen in Disabled Java warning appearance & affect on Java Web Start apps.

Firefox

With the introduction of 1.7.0_13, things seem to have change again. Now instead of the browser (itself) warning the user, a JRE warning like this appears:

Select Run to see:

On a side note: That Do not show this again for this app message on the lower left had little or no effect in the past. Now in this situation, it seems to work across the browser being closed down and restarted, and between different browsers. Hurrah!

So advise your users to 'check it'..

Internet Explorer

Has an experience like FF, but ignores permissions permanently allowed in another browser.

Chrome

Chrome still seems to be showing the initial warning it did for 1.7.0_11.

Then once that is approved, goes to the Oracle/Plug-In prompts as seen for FF.