Oracle speaks, promises to get Java "fixed up"

Share this article:

After a series of Java malware outbreaks that have resulted in widespread infections and earned significant criticisms from security analysts, many of whom recommended uninstalling the software altogether, Oracle appears ready to break its silence and address the concerns.

Milton Smith, the security lead for Java, a product managed by Oracle, spoke via a conference call Friday to address questions from users about the Java software platform. In the past, the company has done little in the way of helping users better secure themselves from Java threats, even as the software becomes the most common exploit vector affecting enterprises.

“The plan for Java security is really simple,” Smith said. “It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really can't have one without the other.”

Smith said significant security features recently have been added to Java. In addition, Oracle will be more vocal about new capabilities.

Recently, a “security slider” feature was added to Java's control panel to make disabling Java across various platforms easier for users, Smith said. Also, engineers introduced functionality that ensures that no applets run without first warning users, a means to prevent exploits from being launched.

Looking forward, a main focus for the security team will be safeguarding users against browser-based Java attacks.

The most recent zero-day Java exploit, patched Jan. 13, fell into this category. Security firm Kaspersky initially spotted the exploit on Dec. 17, though it wasn't until early January that the number of infections spiked to at least the thousands, primarily in the United States, Russia and Germany.

“A lot of the attacks we've seen and these security fixes apply to our Java in the browser,” Smith said. “That's really the biggest target now. We just haven't really had those challenges on the server or embedded devices [side].”

Oracle' has considered pushing Java updates automatically so more people get patched with the latest versions. However, its user base has expressed concern that malware may be installed alongside legitimate fixes, Smith said.

The most recent version of the software platform is Java SE 7 Update 11.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.