Oracle Promises Enterprise Java Security Tweaks

Critics say Oracle hasnt done enough to address ongoing security and code quality problems in the Java browser plug-in.

10 Top Password Managers (click image for slideshow)
Java security memo to enterprise IT managers: Better distributed client control capabilities, locked down Java servers and certificate-based controls are coming.
Those three upcoming Java security changes were outlined in
Maintaining the security-worthiness of Java is Oracles priority,
a Thursday blog post from Nandini Ramani, who heads Oracles Java software development team and is responsible for Java security.
Already, Ramani said Oracles Java developers have been practicing better
secure development practices
, including using more automated security testing tools, using better source code analysis tools, as well as hammering code with homegrown analysis tools designed to eliminate vulnerabilities that might be targeted using
code-fuzzing techniques
. She also noted that Oracle has refocused resources to help release Java security updates more quickly.
Veteran Java bug hunter Adam Gowdiak
, CEO and founder of Poland-based Security Explorations, confirmed via email that Oracle has been responding to bug reports in just days -- instead of the weeks it used to take. Gowdiak also rated Oracles Java patching speed as slightly improved, saying that after Oracle receives a vulnerability report, its been issuing a fix about two months later.
[ Is Twitters new security scheme a case where the treatment is as bad as the disease?
Twitters Two-Factor Authentication: 5 Reasons To Avoid
. ]
Going forward, Oracles Ramani promised further Java security improvements, starting with better controls for managing Java clients in the enterprise. Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization, she said. For example, IT administrators will be able to restrict Java clients to only execute Java applications located on designated servers, which would make it more difficult for attackers to make PCs execute malicious Java applications located on remote servers.
Server-based Java will also get more locked down. Already, Oracle in April 2013 released an all-new Server Java Runtime Environment (Server JRE), which was a Java distribution designed to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors, according to Ramani. Going forward, expect Oracle to refine Server JRE, including the removal of certain libraries typically unnecessary for server operation, she said.
But Ramani said that tweaking Java 7 in this manner would violate current Java specifications, meaning related changes wont happen until
Oracle releases Java 8
, which was originally set for September 2013, but has been delayed in the wake of Oracle now taking more time to fix Java 7 flaws.
The final previewed change concerns Java applications (aka JAR files) signed with digital certificates, which Oracle had been urging developers to do. Then, as of Java 7 update 21, released in April 2013, the Java client began prohibiting any unsigned application from automatically executing, and warned users to beware allowing the application to run. To date, however, that system has relied on a static list of known-bad certificates and applications -- a restriction that Ramani said resulted from performance concerns. Soon, however, Oracle will introduce a dynamic blacklisting mechanism including daily updates for both blacklisted JAR files and certificates, she said.
But Ramani didnt address
criticism of the Java 7 warning system
on information security and usability grounds. On the security front, notably, obtaining a code-signing certificate has not been a barrier for malware in the past and there is little chance it will become one in the future, Metasploit creator
HD Moore told Threatpost
.
On the usability front, meanwhile, the warning systems success is predicated on end users taking the time to read, understand -- and care -- about the new Java warning messages. As Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in April: These dialogs end up asking the very questions that you might reasonably expect Java to answer.
Furthermore, Gowdiak at Security Explorations said that, with the exception of the new Local Security Policy features, Ramanis preview of upcoming improvements failed to address ongoing Java browser plug-in security shortcomings. Seeing yet another Oracle VP speaking out about Java security only confirms our fears that the company prefers to hide a more systemic problem behind various security prompts and policies than to address it at the core, said Gowdiak via email.
The core issue is about [the] poor quality and security of Oracles code, he said. We will get impressed if, and only if, Oracle makes it harder to break [the] Java security model. From our point of view the company hasnt made much [of a move] in that direction.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Oracle Promises Enterprise Java Security Tweaks