Oracle speaks, promises to get Java "fixed up"

Share this article:

After a series of Java malware outbreaks that have resulted in widespread infections and earned significant criticisms from security analysts, many of whom recommended uninstalling the software altogether, Oracle appears ready to break its silence and address the concerns.

Milton Smith, the security lead for Java, a product managed by Oracle, spoke via a conference call Friday to address questions from users about the Java software platform. In the past, the company has done little in the way of helping users better secure themselves from Java threats, even as the software becomes the most common exploit vector affecting enterprises.

“The plan for Java security is really simple,” Smith said. “It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really can't have one without the other.”

Smith said significant security features recently have been added to Java. In addition, Oracle will be more vocal about new capabilities.

Recently, a “security slider” feature was added to Java's control panel to make disabling Java across various platforms easier for users, Smith said. Also, engineers introduced functionality that ensures that no applets run without first warning users, a means to prevent exploits from being launched.

Looking forward, a main focus for the security team will be safeguarding users against browser-based Java attacks.

The most recent zero-day Java exploit, patched Jan. 13, fell into this category. Security firm Kaspersky initially spotted the exploit on Dec. 17, though it wasn't until early January that the number of infections spiked to at least the thousands, primarily in the United States, Russia and Germany.

“A lot of the attacks we've seen and these security fixes apply to our Java in the browser,” Smith said. “That's really the biggest target now. We just haven't really had those challenges on the server or embedded devices [side].”

Oracle' has considered pushing Java updates automatically so more people get patched with the latest versions. However, its user base has expressed concern that malware may be installed alongside legitimate fixes, Smith said.

The most recent version of the software platform is Java SE 7 Update 11.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.