Sign In
​​​​​​​​​​​

​​​​
​​    


Blog
Keep up to date with the latest in technology.



​​


​​ ​
Apr 18
Java Version 8 Update 131 Released

Java version 8 update 131 has been released by Oracle.  This is the latest version available for users who run Java on their PCs.  Java is a programming language and computing platform.  It is also a software package that runs on more than 850 million personal computers worldwide.  There are lots of applications and websites that will not work properly unless you have Java installed.

 

Changes

security-libs/java.security
MD5 added to jdk.jar.disabledAlgorithms Security property
This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

  • Applets or Web Start Applications
  • Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.

To check if a weak algorithm or key was used to sign a JAR file, one can use the jarsigner binary that ships with this JDK. Running "jarsigner -verify" on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.

For example, to check a JAR file named test.jar, use the following command:

jarsigner -verify test.jar

If the file in this example was signed with a weak signature algorithm like MD5withRSA, the following output would be displayed:

The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled. Re-run jarsigner with the -verbose option for more details.

More details can be displayed by using the verbose option:

jarsigner -verify -verbose test.jar

The following output would be displayed:
- Signed by "CN=weak_signer" 
    Digest algorithm: MD5 (weak) 
    Signature algorithm: MD5withRSA (weak), 512-bit key (weak) 
  Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016 
    Timestamp digest algorithm: SHA-256 
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

To address the issue, the JAR file will need to be re-signed with a stronger algorithm or key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JARs, the existing signature(s) should be removed from the JAR file. This can be done with the .zip utility, as follows:

zip -d test.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*.DSA' 

Please periodically check the Oracle JRE and JDK Cryptographic Roadmap at http://java.com/cryptoroadmap for planned restrictions to signed JARs and other security components.
JDK-8171121 (not public)

 



core-libs/java.net
New system property to control caching for HTTP SPNEGO connection.
A new JDK implementation specific system property to control caching for HTTP SPNEGO (Negotiate/Kerberos) connections is introduced. Caching for HTTP SPNEGO connections remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.

When connecting to an HTTP server that uses SPNEGO to negotiate authentication, and when connection and authentication with the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP server using SPNEGO usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP SPNEGO (Negotiate/Kerberos) protocol in order to force requesting new authentication with each new request to the server.

With this change, we now provide a new system property that allows control of the caching policy for HTTP SPNEGO connections. If jdk.spnego.cache is defined and evaluates to false, then all caching will be disabled for HTTP SPNEGO connections. Setting this system property to false may, however, result in undesirable side effects:

  • Performance of HTTP SPNEGO connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
  • Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.

JDK-8170814 (not public)

 



core-libs/java.net
New system property to control caching for HTTP NTLM connection.
A new JDK implementation specific system property to control caching for HTTP NTLM connection is introduced. Caching for HTTP NTLM connection remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.

On some platforms, the HTTP NTLM implementation in the JDK can support transparent authentication, where the system user credentials are used at system level. When transparent authentication is not available or unsuccessful, the JDK only supports getting credentials from a global authenticator. If connection to the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP NTLM server usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP NTLM protocol in order to force requesting new authentication with each new requests to the server.

With this change, we now provide a new system property that allows control of the caching policy for HTTP NTLM connections. If jdk.ntlm.cache is defined and evaluates to false, then all caching will be disabled for HTTP NTLM connections. Setting this system property to false may, however, result in undesirable side effects:

  • Performance of HTTP NTLM connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
  • Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.

JDK-8163520 (not public)


tools/visualvm
New version of VisualVM
VisualVM 1.3.9 was released on October 4th, 2016 http://visualvm.github.io/relnotes.html and has been integrated into 8u131.
See JDK-8167485

 

Bug Fixes


The following are some of the notable bug fixes included in this release:

client-libs/java.awt
Introduced a new window ordering model
On the OS X platform, the AWT framework used native services to implement parent-child relationship for windows. That caused some negative visual effects especially in multi-monitor environments. To get rid of the disadvantages of such an approach, the new window ordering model, which is fully implemented at the JDK layer, was introduced. Its main principles are listed below:

  • A window should be placed above its nearest parent window.
  • If a window has several child windows, all child windows should be located at the same layer and the window from the active window chain should be ordered above its siblings.
  • Ordering should not be performed for a window that is in an iconified state or when the transition to an iconified state is in progress.

These rules are applied to every frame or dialog from the window hierarchy that contains the currently focused window.
See JDK-8169589

 



security-libs/javax.net.ssl
Correction of IllegalArgumentException from TLS handshake
A recent issue from the JDK-8173783 fix can cause issue for some TLS servers. The problem originates from an IllegalArgumentException thrown by the TLS handshaker code:

java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves

The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified.
See JDK-8173783


This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory. For a more complete list of the bug fixes included in this release, see the JDK 8u131 Bug Fixes page.

 

Oracle Java SE Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Java SE.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

 

If you would like assistance managing and deploying Java for PCs, please contact H Tech Solutions using the URL below.

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Apr 18
Foxit Enterprise Reader Version 8.3 Released

Foxit Enterprise Reader 8.3 has been released by Foxit Software.  Foxit Enterprise Reader is a free PDF reader designed to meet the needs of an enterprise.  It is designed to be fully compatible with Adobe Reader and provides full-fidelity viewing of PDF documents.

 

New Feature and Improvements in Foxit Reader 8.3

  • Enhanced comment management
    Users can filter comments by author and status, and check the total number of comments in the Comment panel.
  • Add and share inline comments online
    Add inline comments to PDF documents at a specified location to share and discuss with other users online.
  • ConnectedPDF enhancements
    The ConnectedPDF Review and ConnectedPDF Protection workflows have been redesigned to provide a better user experience in document review and protection.
  • Some other user-friendly enhancements.

 

Issues Addressed in Foxit Reader 8.3

  • Fixed some security and stability issues. 

 

Vulnerability Details

  • Addressed potential issues where the application could be exposed to Use-After-Free vulnerabilities, which could be exploited by attackers to execute remote code.
  • Addressed potential issues where the application could be exposed to a JPEG2000 Parsing Out-of-Bounds Write vulnerability, which could lead to remote code execution.
  • Addressed a potential issue where the application could be exposed to a null pointer vulnerability, which could lead to unexpected crash.

 

Foxit Enterprise Reader is one of the applications that is managed and updated by ODS.  If you are a current customer who has requested Foxit Enterprise Reader, ODS will automatically update your version over the next few days.  The update will install silently.  No user interaction is required.  There are no additional fees or charges for ODS to update your version of Foxit Enterprise Reader. 

 

If you would like assistance managing and deploying Foxit Enterprise Reader for PCs, please contact H Tech Solutions using the URL below.​

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Apr 11
Adobe Flash Player Version 25.0.0.148 Released

A​dobe Flash Player ​version 25.0.0.148 has been released by Adobe Systems.  Adobe Flash Player is a cross-platform browser-based application runtime that is required for viewing of certain applications, content, and videos.

 

Fixed Issues

  • [Windows] Flash player unresponsive after connecting with the socket.(FP-4198296)

 

Known Issues

  • Previous slide's video's audio keeps playing even when next slide is loaded (FLASH-4187660)

 

Security Updates

Adobe has released security updates for Adobe Flash Player for Windows. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.   

  • Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows update to Adobe Flash Player 25.0.0.148
  • Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 25.0.0.148 for Windows.
  • Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 25.0.0.148.

 

Vulnerability Details

  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-3058, CVE-2017-3059, CVE-2017-3062, CVE-2017-3063). 
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-3060, CVE-2017-3061, CVE-2017-3064).

 

Adobe Flash Player is one of the applications that is managed and updated by ODS.  If you are a current customer, ODS will automatically update your version of Adobe Flash Player over the next few days.  ODS will deploy both the ActiveX version and the Plugin version.  This ensures that Adobe Flash Player will function with web browsers including Internet Explorer, Firefox, and Chrome.  The update will install silently.  No user interaction is required.  There are no additional fees or charges for ODS to update your version of Adobe Flash Player. 

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Mar 28
Announcing iOS 10.3 Support for ODS

ODS is now fully compatible with this latest version of Apple’s mobile operating system, iOS 10.3.  All the existing ODS features currently available for managing iOS devices will continue to work seamlessly as users upgrade their devices to iOS 10.3.  Apple began deploying iOS 10.3 to users on March 27, 2017.

 

These new features will become available automatically.  There will be no impact to the service or downtime during the update.  There is no need to update the software running on your device to take advantage of these new features.

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Mar 14
Adobe Flash Player Version 25.0.0.127 Released

A​dobe Flash Player ​version 25.0.0.127 has been released by Adobe Systems.  Adobe Flash Player is a cross-platform browser-based application runtime that is required for viewing of certain applications, content, and videos.

 

Fixed Issues

  • Pressing Space bar in the Text Field makes the app behave abnormally.( FP-4198253)

  • Flash Player 24.0.0.221 quits unexpectedly(FP-4198250)

  • Wacom tablet click inputs doesn't work with latest chrome version 55 (FLASH-4187112)

  • Unresponsive behaviour is observed for microphone on Windows 10/FireFox (FP- 4061929)

  • [Windows 10] Movie reload or restart playing when user clicks "SPACE" key. (FP-4198252)

  • Multiple security and functional fixes
 
 
New Features
 

Offset support for drawToBitmapData()

Beginning in AIR 25, capturing current buffer data of the back render buffer through drawToBitmapData() allows offsets for capturing a target rectangle from buffer instead of complete buffer.

The feature is supported on Windows, Mac, iOS and android platforms.

Background:
drawToBitmapdata(BitmapData) is used to draw the current render buffer to a destination bitmap. It used to take a bitmap input to which it would copy the complete buffer content.

Offset Implementation:
Starting AIR 25, the API drawToBitmapData( destination:BitmapData, srcRect:Rectangle = null, destPoint:Point = null) copies a particular target area from the buffer and copies it to the bitmap.

The API takes the following inputs:

  • Destination Bitmap(Bitmap): Bitmap to which rendered buffer data would be copied to
  • Source Rectangle(srcRect): Rectangle defined on the back render buffer, from which the data would be copied
  • Destination point(destPoint): Offset on the bitmap where the data will be copied to

This can be understood by the following demonstration:

Offset Instructions 
 

Some important points:

  • If the source rectangle goes beyond the current render buffer, the rectangle part extending beyond the dimensions of the buffer is clipped, this is similar to the target area of Stage3D as in the representation above.
  • If the target area selected in the above step goes beyond the dimensions of the bitmap, the part extending beyond bitmap is clipped.
  • The actual target area would be final bitmap data according to the rectangle size and the bitmap size and offsets chosen.
  • In case, the offsets (destination offset, source rectangle offset) falls out of the dimensions or are set negative, “Error #3802: Offset outside stage coordinate bound” would be thrown.
  • If the values for source rectangle and the destination offset is set null, the API falls back to the older implementation where the complete buffer is copied to the bitmap.
 

Separate HTTP and HTTPS permissions for Camera and Microphone

With Flash Player 24 release, we provided users with a fine-grained control over how permissions are granted for their camera and microphone data. These settings are visible in the Global Settings Manager and Native Control Panel for Windows.

 
 

Known Issues

  • None

 

Security Updates

Adobe has released security updates for Adobe Flash Player for Windows. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

  • Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows update to Adobe Flash Player 25.0.0.127.
  • Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 25.0.0.127 for Windows.
  • Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 25.0.0.127.
 

 

Vulnerability Details
  • These updates resolve a buffer overflow vulnerability that could lead to code execution (CVE-2017-2997).
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2998, CVE-2017-2999).
  • These updates resolve a random number generator vulnerability used for constant blinding that could lead to information disclosure (CVE-2017-3000).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-3001, CVE-2017-3002, CVE-2017-3003).

 

Adobe Flash Player is one of the applications that is managed and updated by ODS.  If you are a current customer, ODS will automatically update your version of Adobe Flash Player over the next few days.  ODS will deploy both the ActiveX version and the Plugin version.  This ensures that Adobe Flash Player will function with web browsers including Internet Explorer, Firefox, and Chrome.  The update will install silently.  No user interaction is required.  There are no additional fees or charges for ODS to update your version of Adobe Flash Player. 

 

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Mar 01
Foxit Enterprise Reader Version 8.2.1 Released

Foxit Enterprise Reader 8.2.1 has been released by Foxit Software.  Foxit Enterprise Reader is a free PDF reader designed to meet the needs of an enterprise.  It is designed to be fully compatible with Adobe Reader and provides full-fidelity viewing of PDF documents.

 

Improvements in Foxit Reader 8.2.1

  • Provides users with more options on whether to overwrite an existing file when creating PDF files, such as a prompt to rename the PDF file, which improves PDF creation workflow.

  • Some other user-friendly enhancements.

 

Issues Addressed in Foxit Reader 8.2.1

  • Fixed some security and stability issues.

 

 

Vulnerability Details

  • Addressed potential issues where the application could be exposed to a Use-After-Free vulnerability, which could be exploited by attackers to execute remote code under the context of the current process. 
  • Addressed potential issues where the application could be exposed to a Type Confusion vulnerability, which could be exploited by attackers to execute remote code under the context of the current process.
  • Addressed potential issues where the application could be exposed to an Out-of-Bounds Read vulnerability, which could lead to information disclosure or remote code execution.
  • Addressed a potential issue where the application could be exposed to a Null Pointer Dereference vulnerability when open a crafted PDF file, which could cause the application to crash unexpectedly.
  • Addressed a potential issue where the application could be exposed to a memory corruption vulnerability, which could be leveraged by attackers to execute remote code.

 

 

Foxit Enterprise Reader is one of the applications that is managed and updated by ODS.  If you are a current customer who has requested Foxit Enterprise Reader, ODS will automatically update your version over the next few days.  The update will install silently.  No user interaction is required.  There are no additional fees or charges for ODS to update your version of Foxit Enterprise Reader. 

 

If you would like assistance managing and deploying Foxit Enterprise Reader for PCs, please contact H Tech Solutions using the URL below.​

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Feb 14
Adobe Flash Player Version 24.0.0.221 Released

Adobe Flash Player ​version 24.0.0.221 has been released by Adobe Systems.  Adobe Flash Player is a cross-platform browser-based application runtime that is required for viewing of certain applications, content, and videos.

 

Security Updates

Adobe has released security updates for Adobe Flash Player for Windows. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

 

  • Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows update to Adobe Flash Player 24.0.0.221.
  • Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 24.0.0.221 for Windows.

  • Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 24.0.0.221.

 

Vulnerability Details

  • These updates resolve a type confusion vulnerability that could lead to code execution (CVE-2017-2995).
  • These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2017-2987).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-2982, CVE-2017-2985, CVE-2017-2993, CVE-2017-2994).
  • These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017- 2984, CVE-2017-2986, CVE-2017-2992).
  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2988, CVE-2017-2990, CVE-2017-2991, CVE-2017-2996).

 

 

Adobe Flash Player is one of the applications that is managed and updated by ODS.  If you are a current customer, ODS will automatically update your version of Adobe Flash Player over the next few days.  ODS will deploy both the ActiveX version and the Plugin version.  This ensures that Adobe Flash Player will function with web browsers including Internet Explorer, Firefox, and Chrome.  The update will install silently.  No user interaction is required.  There are no additional fees or charges for ODS to update your version of Adobe Flash Player. 

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Jan 23
OneDrive For Business Sync Client Now Supports SharePoint Online Team Sites

​For those of you who have used the OneDrive for Business sync client previously, I am sure you have experienced a sync issue at some point.  I know many customers who have dealth with sync issues which can be very frustrating.  To say that the OneDrive sync client is fragile is being kind.

The current OneDrive sync client is based on a technology acquired from Groove Networks which Microsoft purchased in 2005. 

https://news.microsoft.com/2005/03/10/microsoft-to-acquire-groove-networks-combining-talents-to-create-anytime-anywhere-collaboration-products-and-services/#sm.0001o3na1psbzeirxqc15j7dy3c1f#QF6evp7lYfK67IjO.97

 This technology is old and needs to be updated and improved.

 

The good news is that Microsoft has heard the feedback.  They released a new OneDrive for Business sync client (onedrive.exe).  In the initial release, it had the ability to sync OneDrive files.  Synching SharePoint Team Sites was only in preview.

 

I am pleased to report that SharePont Team Site sync is now released as of January 23, 2017.  The latest release of the new OneDrive sync client lets you:

  • Navigate to a SharePoint Online site, a folder, or a shared folder, and click Sync to sync files to the computer.

  • Change the folders that you're syncing directly in the sync client.

  • Sync shared folders.

  • Sync read-only files and folders.

  • Edit files with other people at the same time with Office 2016 (requires click-to-run build 16.0.7167.2xxx or MSI build 16.0.4432.100x).

  • Automatically transition from the previous OneDrive for Business sync client (Groove.exe) to the new OneDrive sync client (OneDrive.exe).

Known issues

The following are known issues in this release:

  • SharePoint team sites sync per computer. Like OneDrive, team site sync relationships are per computer (i.e., pressing the sync button from one computer will not automatically start that team site syncing on another computer, even if they are both configured to sync OneDrive. You must configure your sync settings separately on each computer where you want to sync files.

  • When syncing libraries that require check out, or libraries with required columns or metadata, the files are synced as read-only. If you do make changes to these files, the changes will not be synced back to Office 365.

  • Version history is lost when moving Office files locally across sites. To move Office files to another site, go to Office 365 and use "Copy to" to copy your files to another site.

  • OneNote files can't be moved locally across syncing sites. To move OneNote notebooks to another site, use the copy feature in the OneNote app.

  • Watch out for site names that include “:” or any non-supported folder name character on Windows. The new OneDrive sync client can't sync sites with names that include these unsupported folder name characters.

  • When you sync a SharePoint site or folder, a new folder is created in the folder that has the name of your organization (for example, %userprofile%\Contoso). You cannot reuse an existing folder.

  • There is a known issue in Edge where site setup navigates you to a support page instead of launching site setup. Please make sure you are running the latest version of Windows which has the latest fix.

  • Folders might be moved around after transitioning from the previous OneDrive for Business sync client (Groove.exe) to the new OneDrive sync client. The new OneDrive sync client does not sync folders to which you have no permissions. If you were syncing folders with the previous OneDrive for Business sync client to which you had no permissions, the new sync client will remove those folders and move any content within to the root of the folder with the name of your organization.

 

If you need any assistane settting up OneDrive for Business file sync or migrating to the new OneDrive for Business client, please contact H Tech Solutions for a free consultation. 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Jan 17
Java Version 8 Update 121 Released

Java version 8 update 121 has been released by Oracle.  This is the latest version available for users who run Java on their PCs.  Java is a programming language and computing platform.  It is also a software package that runs on more than 850 million personal computers worldwide.  There are lots of applications and websites that will not work properly unless you have Java installed.

 


Notes


core-libs/javax.naming
Improved protection for JNDI remote class loading
Remote class loading via JNDI object factories stored in naming and directory services is disabled by default. To enable remote class loading by the RMI Registry or COS Naming service provider, set the following system property to the string "true", as appropriate:

    com.sun.jndi.rmi.object.trustURLCodebase
    com.sun.jndi.cosnaming.object.trustURLCodebase
JDK-8158997 (not public)


security-libs/java.security
jarsigner -verbose -verify should print the algorithms used to sign the jar
The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak. 

Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property, jdk.jar.disabledAlgorithms, it will be labeled with "(weak)". 

For example:

- Signed by "CN=weak_signer"
   Digest algorithm: MD2 (weak) 
   Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
 Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
   Timestamp digest algorithm: SHA-256 
   Timestamp signature algorithm: SHA256withRSA, 2048-bit key 
See JDK-8163304 


New Features


security-libs/javax.xml.crypto
Added security property to configure XML Signature secure validation mode
A new security property named jdk.xml.dsig.secureValidationPolicy has been added that allows you to configure the individual restrictions that are enforced when the secure validation mode of XML Signature is enabled. The default value for this property in the java.security configuration file is:

jdk.xml.dsig.secureValidationPolicy=\
    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
    maxTransforms 5,\
    maxReferences 30,\
    disallowReferenceUriSchemes file http https,\
    noDuplicateIds,\
    noRetrievalMethodLoops
Please refer to the definition of the property in the java.security file for more information.
See JDK-8151893

 



core-libs/java.io:serialization
Serialization Filter Configuration
Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in JEP 290 Serialization Filtering and in <JRE>/lib/security/java.security. Filter actions are logged to the 'java.io.serialization' logger, if enabled. 
See JDK-8155760



core-libs/java.rmi
RMI Better constraint checking
RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 Serialization Filtering to improve service robustness.
RMI Registry and DGC implement built-in white-list filters for the typical classes expected to be used with each service.
Additional filter patterns can be configured using either a system property or a security property. The "sun.rmi.registry.registryFilter" and "sun.rmi.transport.dgcFilter" property pattern syntax is described in JEP 290 and in <JRE>/lib/security/java.security.
JDK-8156802 (not public)



security-libs
Add mechanism to allow non-default root CAs to not be subject to algorithm restrictions

*New certpath constraint: jdkCA*
In the java.security file, an additional constraint named "jdkCA" is added to the jdk.certpath.disabledAlgorithms property. This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in the lib/security/cacerts keystore. If the jdkCA constraint is not set, then all chains using the specified algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm expression. 

Example: To apply this constraint to SHA-1 certificates, include the following: SHA1 jdkCA
See JDK-8140422



Changes


security-libs/javax.net.ssl
Improve the default strength of EC in JDK
To improve the default strength of EC cryptography, EC keys less than 224 bits have been deactivated in certification path processing (via the jdk.certpath.disabledAlgorithms Security Property) and SSL/TLS connections (via the jdk.tls.disabledAlgorithms Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192"). EC curves less than 256 bits are removed from the SSL/TLS implementation in JDK. The new System Property, jdk.tls.namedGroups, defines a list of enabled named curves for EC cipher suites in order of preference. If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly. For example:

 

    jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1"

 

Note that the default enabled or customized EC curves follow the algorithm constraints. For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties.
See JDK-8148516



tools/javadoc(tool)
New --allow-script-in-comments option for javadoc
The javadoc tool will now reject any occurrences of JavaScript code in the javadoc documentation comments and command-line options, unless the command-line option, --allow-script-in-comments is specified.

With the --allow-script-in-comments option, the javadoc tool will preserve JavaScript code in documentation comments and command-line options. An error will be given by the javadoc tool if JavaScript code is found and the command-line option is not set.
JDK-8138725 (not public)



security-libs/javax.xml.crypto
Increase the minimum key length to 1024 for XML Signatures
The secure validation mode of the XML Signature implementation has been enhanced to restrict RSA and DSA keys less than 1024 bits by default as they are no longer secure enough for digital signatures. Additionally, a new security property named jdk.xml.dsig.SecureValidationPolicy has been added to the java.security file and can be used to control the different restrictions enforced when the secure validation mode is enabled. 

The secure validation mode is enabled either by setting the xml signature property org.jcp.xml.dsig.secureValidation to true with the javax.xml.crypto.XMLCryptoContext.setProperty method, or by running the code with a SecurityManager. 

If an XML Signature is generated or validated with a weak RSA or DSA key, an XMLSignatureException will be thrown with the message, "RSA keys less than 1024 bits are forbidden when secure validation is enabled" or "DSA keys less than 1024 bits are forbidden when secure validation is enabled."
JDK-8140353 (not public)



docs/release_notes
Restrict certificates with DSA keys less than 1024 bits.
DSA keys less than 1024 bits are not strong enough and should be restricted in certification path building and validation. Accordingly, DSA keys less than 1024 bits have been deactivated by default by adding "DSA keySize < 1024" to the jdk.certpath.disabledAlgorithms security property. Applications can update this restriction in the security property (jdk.certpath.disabledAlgorithms) and permit smaller key sizes if really needed (for example, "DSA keySize < 768"). 
JDK-8139565 (not public)



security-libs
More checks added to DER encoding parsing code
More checks are added to the DER encoding parsing code to catch various encoding errors. In addition, signatures which contain constructed indefinite length encoding will now lead to IOException during parsing. Note that signatures generated using JDK default providers are not affected by this change. 
JDK-8168714 (not public)



core-libs/java.net
Additional access restrictions for URLClassLoader.newInstance
Class loaders created by the java.net.URLClassLoader.newInstance methods can be used to load classes from a list of given URLs. If the calling code does not have access to one or more of the URLs and the URL artifacts that can be accessed do not contain the required class, then a ClassNotFoundException, or similar, will be thrown. Previously, a SecurityException would have been thrown when access to a URL was denied. If required to revert to the old behavior, this change can be disabled by setting the jdk.net.URLClassPath.disableRestrictedPermissions system property.
JDK-8151934 (not public)



core-libs/java.util.logging
A new configurable property in logging.properties java.util.logging.FileHandler.maxLocks
A new java.util.logging.FileHandler.maxLocks configurable property is added to java.util.logging.FileHandler. 

This new logging property can be defined in the logging configuration file and makes it possible to configure the maximum number of concurrent log file locks a FileHandler can handle. The default value is 100. 

In a highly concurrent environment where multiple (more than 101) standalone client applications are using the JDK Logging API with FileHandler simultaneously, it may happen that the default limit of 100 is reached, resulting in a failure to acquire FileHandler file locks and causing an IO Exception to be thrown. In such a case, the new logging property can be used to increase the maximum number of locks before deploying the application. 

If not overridden, the default value of maxLocks (100) remains unchanged. See java.util.logging.LogManager and java.util.logging.FileHandler API documentation for more details. 
See JDK-8153955
 
 

Known Issues


deploy/packager
javapackager and fx:deploy bundle the whole JDK instead of JRE
There is a known bug in the Java Packager for Mac where the entire JDK may be bundled with the application bundle resulting in an unusually large bundle. The work around is to use the bundler option -Bruntime option. For example: -Bruntime=JavaAppletPlugin.plugin sets where the JavaAppletPlugin.plugin for the desired JRE to bundle is located in the current directory. 
See JDK-8166835


install/install
Java Installation will fail for non-admin users with UAC off
The Java installation on Windows will fail without warning or prompting, for non-admin users with User Access Control (UAC) disabled. The installer will leave a directory, jds<number>.tmp, in the %TEMP% directory. 
JDK-8161460 (not public)


 

Oracle Java SE Executive Summary

 

This Critical Patch Update contains 17 new security fixes for Oracle Java SE.  16 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. 


 

If you would like assistance managing and deploying Java for PCs, please contact H Tech Solutions using the URL below.

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
Jan 10
Adobe Flash Player Version 24.0.0.194 Released

Adobe Flash Player ​version 24.0.0.194 has been released by Adobe Systems.  Adobe Flash Player is a cross-platform browser-based application runtime that is required for viewing of certain applications, content, and videos.

 

Fixed Issues

  • Socket connection fails with Security error#2048.(4198184)

  • Event handler Event.CONNECT is not called when using flash.net.Socket to connect the server. (4198188)
 

Known Issues

  • Performance drop is observed on Firefox 49.0.2 when Async drawing feature is enabled.(4197072)

 

Security Updates

Adobe has released security updates for Adobe Flash Player for Windows.  These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.  

  • Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows update to 24.0.0.194
  • Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 24.0.0.194 for Windows.

  • Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 24.0.0.194. 

 

Vulnerability Details

  • These updates resolve a security bypass vulnerability that could lead to information disclosure (CVE-2017-2938).
  • These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2017-2932, CVE-2017-2936, CVE-2017-2937).

  • These updates resolve heap buffer overflow vulnerabilities that could lead to code execution (CVE-2017-2927, CVE-2017-2933, CVE-2017-2934, CVE-2017-2935).

  • These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2017-2925, CVE-2017-2926, CVE-2017-2928, CVE-2017-2930, CVE-2017-2931).

 

Adobe Flash Player is one of the applications that is managed and updated by ODS.  If you are a current customer, ODS will automatically update your version of Adobe Flash Player over the next few days.  ODS will deploy both the ActiveX version and the Plugin version.  This ensures that Adobe Flash Player will function with web browsers including Internet Explorer, Firefox, and Chrome.  The update will install silently.  No user interaction is required.  There are no additional fees or charges for ODS to update your version of Adobe Flash Player. 

 

Creative Commons License
H Tech Solutions Blog by Harris Schneiderman is licensed under a Creative Commons Attribution 4.0 International License.
Permissions beyond the scope of this license may be available at http://www.htechsolutions.biz/contact-us
1 - 10Next
​​

 ‭(Hidden)‬ Blog Tools

​​ ​​ ​​​​​​​​​​
  
Edit
  
 
  
 
  
 
  
 
  
 
  
 
​​ ​​​​

​​
​ ​