Java 7 Update 45: new Java disaster

Oracle continues to torture their loveless stepchild called Java, as well as browser vendors do. They "improved security" which usually equals to "created unexpected headache to millions of the users with no visible reason". We tried our best to overcome the aftermath of this update and rolled out Upload Suite 8.0.52.

Now I would like to tell about what exactly happened and what we did about it.

Additional Security Warning

If you have Upload Suite 8.0.51 or later, after you update Java to 7u45, you may notice that every time you open a page with Java applet, and additional security dialog appears asking whether you allow or deny to let the applet access JavaScript and HTML where it is hosted. The uploader still works, but the additional dialog may be quite annoying. 

Why it happened? Oracle decided that if it is necessary to manipulate the applet through JavaScript, the applet developer should define where the pages which will use the applet are located. It is necessary to do on the compile time.

In the worst scenario we would have to locate the .jar file in the same directory with the page which it hosts it or something like this. Fortunately, they allowed to use a wildcard. So the new Upload Suite update works as earler and no extra security dialog appears.

Uploader sends empty HTTP request on old Java

If you did not update Java yet, you may notice that any version of the Upload Suite sends an empty request when you upload anything. If you examine Java console log with the verbose mode enabled, you will notice a message like "LiveConnect is blocked for security reasons". What is it?

LiveConnect is a technology which allows the HTML page where the applet is located to "talk" with the applet using JavaScript. This is how you can change Java applet settings dynamically or handle the upload completion events. In particular, you initialize convertors through LiveConnect (i.e. specify whether to upload thumbnails, original file, etc).

It looks like Oracle can disable specific Java features from their "Ground Control Center". When they released Java 7u45, they just sent a command to old Javas and said them to turn off LiveConnect by default. It makes impossible for the applet to initialize convertors and therefore the uploader does not know whether you need to send thumbnails, original files, etc. So it sends nothing.

Now if the user needs to use a Java applet with LiveConnect enabled, they need either to update their Java or reduce the security level to "Medium". So it looks like pretty soon 100% of active Java users will update their Java machines.

Firefox displays "red LEGO block" icon

If you update Firefox to the version 24, you will notice that now it blocks Java applets. The red "LEGO block" icon appears near the navigation bar and if you click it, it asks whether you want to enable the Java plugin (temporary or permanently). If you enable it, the uploader appears and it works as expected.

Unfortunately we cannot do anything about it. For some reasons, Mozilla believes that the latest Java plugin is unsafe. We can only pray that Oracle will eliminate all security issues that make Mozilla think this way or they agree with each other.

Missing attribute warning on a security dialog

If you have old version of Upload Suite, you may notice that the security dialog which asks whether you trust Aurigma to install the uploader displays an additional message.

Additional message on the security dialog.

Obviously, you should be ready that the next Java update will break old uploaders again. New version of Java uploader (8.0.48 and later) don't have this problem. We have also prepared an update for the legacy version 6.

We can only thank Oracle that they warned beforehand. You have several weeks to update the uploader and we recommend to do it ASAP.

File navigation is broken on the latest Safari (in particular, on Maverick)

In fact, this problem is not related to the Java 7u45. It is a guilt of Apple - one more "big guy" who bullies our nerdy Java. They have accidently released new Safari version almost simultaneously with Oracle.

For some reasons they decided to run all Java applets in a "sandbox" which does not have an access to the file system until the user manually adds the website where this applet is used to the whilelist (they can do it in the Safari Preferences).

In the next version of the uploader, we are going to detect this situation and display some instructions to the user. Meanwhile, you have to instruct the users who have this problem how to whitelist your site.

This is a list of the most annoying changes in the Java 7 Update 45. Hopefully there is no other unexpected surprises. However anyway, we will keep you updated!