Oracle speaks, promises to get Java "fixed up"

Share this article:

After a series of Java malware outbreaks that have resulted in widespread infections and earned significant criticisms from security analysts, many of whom recommended uninstalling the software altogether, Oracle appears ready to break its silence and address the concerns.

Milton Smith, the security lead for Java, a product managed by Oracle, spoke via a conference call Friday to address questions from users about the Java software platform. In the past, the company has done little in the way of helping users better secure themselves from Java threats, even as the software becomes the most common exploit vector affecting enterprises.

“The plan for Java security is really simple,” Smith said. “It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really can't have one without the other.”

Smith said significant security features recently have been added to Java. In addition, Oracle will be more vocal about new capabilities.

Recently, a “security slider” feature was added to Java's control panel to make disabling Java across various platforms easier for users, Smith said. Also, engineers introduced functionality that ensures that no applets run without first warning users, a means to prevent exploits from being launched.

Looking forward, a main focus for the security team will be safeguarding users against browser-based Java attacks.

The most recent zero-day Java exploit, patched Jan. 13, fell into this category. Security firm Kaspersky initially spotted the exploit on Dec. 17, though it wasn't until early January that the number of infections spiked to at least the thousands, primarily in the United States, Russia and Germany.

“A lot of the attacks we've seen and these security fixes apply to our Java in the browser,” Smith said. “That's really the biggest target now. We just haven't really had those challenges on the server or embedded devices [side].”

Oracle' has considered pushing Java updates automatically so more people get patched with the latest versions. However, its user base has expressed concern that malware may be installed alongside legitimate fixes, Smith said.

The most recent version of the software platform is Java SE 7 Update 11.
Share this article:

Sign up to our newsletters

More in News

'Backoff' malware compromises POS devices in New Orleans restaurant

Anyone that used a credit or debit card at Mizado Cocina between May 9 and July 18 may have had their data compromised.

FBI begins investigation into 1.2 billion stolen credentials

A couple weeks after Hold Security's initial discovery of the stolen logins, the Federal Bureau of Investigation is conducting its own review.

CryptoLocker copycat, TorrentLocker, discovered by researchers

Yet another clone of the nefarious ransomware CryptoLocker has been detected by security experts.