Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Oracle lays out Java security facelift

Oracle formally has announced improvements in Java that are expected to harden a software line with a checkered security past.

Nandini Ramani, the lead for Java's software development team, explained in a blog post Thursday that the improvements came with the release in April of Java 7u21. But he laid out in detail the enhancements.

Of note, the company has changed the way signed applets – small programs that can be embedded on a web page – will operate in Java. In the past, signing applets was synonymous with giving the application increased privileges. Now, signing an applet only "establishes the identity of the signer," without automatically giving them more privileges to bypass security measures – a move that could limit the ability for attackers to execute malware.

HD Moore, chief research officer at vulnerability management company Rapid7, told SCMagazine.com on Monday that this was a big accomplishment. This sandboxing technology could help keep one malicious applet from compromising an entire system.

“It forces signed applets to run at standard sandboxing privileges,” Moore said. “It's fixing a glaring error in [its policies].”

In addition, Java's default plug-in security settings were upgraded, so that signed applets can run outside the sandbox, allowing users to stop unsigned applets from being executed. A third applet policy change consists of Oracle maintaining a daily list of compromised .jar files and certificates that it has blacklisted.

In addition, Ramani said future Java updates will be released four times a year as part of Oracle's quarterly Critical Patch Update. Previously, the updates were released three times yearly as a standalone distribution.

Despite the reforms, Java still needs to take a more advanced approach to sandboxing, as Adobe and Google do, Moore said. They have implemented process-level sandboxing for Reader and Chrome, respectively.

“The direction most of these vendors have been [going toward] is the process-level technology,” Moore said. "If someone is able to exploit Java Runtime, they are able to get all the privileges that the user has. As soon as their applet is compromised, it exposes the entire system that it is running in."

John Hawes, a researcher at Sophos, said in a Monday blog post that new security functionality was nice to see, but it's come “too late,” and users should consider disabling Java in the browser.

“It's taken too long to get this far though, and things are still moving far too slowly,” Hawes wrote.

Java has been plagued by vulnerabilities and active exploits in recent years, making the software a top enterprise threat. Recently, attackers targeted Java users by duping them into running a malicious Java applet that was signed with a stolen digital certificate. The stolen cert was designed to look like a "Java ClearWeb Security Update."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.