After a series of Java malware outbreaks that have resulted in widespread infections and earned significant criticisms from security analysts, many of whom recommended uninstalling the software altogether, Oracle appears ready to break its silence and address the concerns.
Milton Smith, the security lead for Java, a product managed by Oracle, spoke via a conference call Friday to address questions from users about the Java software platform. In the past, the company has done little in the way of helping users better secure themselves from Java threats, even as the software becomes the most common exploit vector affecting enterprises.
“The plan for Java security is really simple,” Smith said. “It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely. We really can't have one without the other.”
Smith said significant security features recently have been added to Java. In addition, Oracle will be more vocal about new capabilities.
Recently, a “security slider” feature was added to Java's control panel to make disabling Java across various platforms easier for users, Smith said. Also, engineers introduced functionality that ensures that no applets run without first warning users, a means to prevent exploits from being launched.
Looking forward, a main focus for the security team will be safeguarding users against browser-based Java attacks.
The most recent zero-day Java exploit, patched Jan. 13, fell into this category. Security firm Kaspersky initially spotted the exploit on Dec. 17, though it wasn't until early January that the number of infections spiked to at least the thousands, primarily in the United States, Russia and Germany.
“A lot of the attacks we've seen and these security fixes apply to our Java in the browser,” Smith said. “That's really the biggest target now. We just haven't really had those challenges on the server or embedded devices [side].”
Oracle' has considered pushing Java updates automatically so more people get patched with the latest versions. However, its user base has expressed concern that malware may be installed alongside legitimate fixes, Smith said.The most recent version of the software platform is Java SE 7 Update 11.