Oracle speaks, promises to get Java "fixed up"

Share this article:

After a series of Java malware outbreaks that have resulted in widespread infections and earned significant criticisms from security analysts, many of whom recommended uninstalling the software altogether, Oracle appears ready to break its silence and address the concerns.

Milton Smith, the security lead for Java, a product managed by Oracle, spoke via a conference call Friday to address questions from users about the Java software platform. In the past, the company has done little in the way of helping users better secure themselves from Java threats, even as the software becomes the most common exploit vector affecting enterprises.

“The plan for Java security is really simple,” Smith said. “It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really can't have one without the other.”

Smith said significant security features recently have been added to Java. In addition, Oracle will be more vocal about new capabilities.

Recently, a “security slider” feature was added to Java's control panel to make disabling Java across various platforms easier for users, Smith said. Also, engineers introduced functionality that ensures that no applets run without first warning users, a means to prevent exploits from being launched.

Looking forward, a main focus for the security team will be safeguarding users against browser-based Java attacks.

The most recent zero-day Java exploit, patched Jan. 13, fell into this category. Security firm Kaspersky initially spotted the exploit on Dec. 17, though it wasn't until early January that the number of infections spiked to at least the thousands, primarily in the United States, Russia and Germany.

“A lot of the attacks we've seen and these security fixes apply to our Java in the browser,” Smith said. “That's really the biggest target now. We just haven't really had those challenges on the server or embedded devices [side].”

Oracle' has considered pushing Java updates automatically so more people get patched with the latest versions. However, its user base has expressed concern that malware may be installed alongside legitimate fixes, Smith said.

The most recent version of the software platform is Java SE 7 Update 11.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.