Expiring JREs

news · 6 years ago
by Balázs Zaicsek
When you connect your computer to the internet you automatically expose yourself to threat, access can be a 2 way street. This is why you have to protect your computer with firewalls and security settings. However all these settings and firewalls have some security holes and vulnerabilities which can be found by malicious crackers. That is why keeping your system updated is important. Java has introduced a ’security baseline’ - a level of confidence that the security features of the Java Runtime Environment (JRE) being used, are addressing the known security holes. In operation, every time you start an Applet your browser checks whether your current JRE meets the actual security baseline, if it does the Applet opens, if not it prompts you to update and forbids some functionalities that have a threat. Before 2012.12.11 (Java 1.7.0_u10) it was possible to bypass this security check by disconnecting your computer from the internet or by hacking a block of the Oracle security check, either way this was not a secure solution. And so Oracle introduced a check on JRE expiration date which can be checked if you are not online. If the expiration date of your JRE has been passed than the common update message will appear:

JRE

Of course you can always choose to do this later but some features (like Java-JavaScript communication) will be blocked, and your applet can behave unexpectedly.

What about the future

Version Publish Date Expiration Date New security baseline? Java 1.7.0_21 2013.04.16 2013.07.18 Yes Java 1.7.0_25 2013.06.18 2013.11.15 Yes Java 1.7.0_40 2013.09.10 2013.10.12 No Java 1.7.0_45 2013.10.15 2014.02.14 Yes

As you can see from the history of releases (table above) the security baseline is being updated in many releases in these days and so users should expect to meet this expiring JRE problem in the future.