Oracle outlines steps to improve Java home, enterprise security

Oracle outlines steps to improve Java home, enterprise security

Summary: Following high-profile hacks and breaches at major technology companies, including Apple and Facebook, the Java maker is knuckling down on the Web plug-in's security.

SHARE:
TOPICS: Security, Oracle
10

Oracle is planning to change how it approaches Java fixes for security vulnerabilities, including adding centralized policy management with enterprise environment whitelisting functionality.

It's hoped this effort will help to "decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment," and, "provide additional security protections for Java operating in the server environment," according to Oracle's Java platform software development team leader Nandini Ramani, writing in a blog post on Thursday.

While Ramani notes indirectly that some controversy stirred earlier this year following the successful hacking of Apple, Facebook, Microsoft and others, after systems running the Web plugin suffered zero-day attacks on previously unpatched vulnerabilities, the blog post centers on the "security worthiness of Java."

Oracle tooted its own trumpet by sticking one to Java's former owner, Sun Microsystems, stating that it had to adopt Oracle's own fix schedule in order to resolve issues in "priority order" and "within a certain period of time."

Ramani also noted that Java development "significantly accelerated the production of security fixes" following the 2010 acquisition of Sun. The enterprise software giant said it will continue to speed up the Java patching timeline from October in line with Oracle's other products. 

Also, "fuzzing" automated analysis tools have been developed by Oracle's primary provider of source code analysis in order to filter certain kinds of vulnerabilities. 

The Java maker added two major points on server security and enterprise deployments.

Many of Java's security problems have not affected servers, the blog post noted, which had "caused concern to organizations committed to Java applications running on servers." The company has taken steps to disassociate its browser-based Java version from server-based enterprise deployments.

With Java 7 (Update 21), the new Java distribution is now known as "Server JRE," which doesn't contain the Java browser plugin, auto-update, or the installer found in the regular Java release for home users.

On server and enterprise deployments, many organizations cannot disable Java on their machines for fear of losing access to business-critical applications built with the plugin. Local security policy features will be added to Java making it easier for system administrations to gain further control over security policy settings during the installation and deployment of Java in their organizations.

Such features will include reducing the risk of malware spreading from desktops, as well as server-managed whitelisting of Java applets that can be run on client machines.

The speed in which bugs are squashed have already led to "fewer outstanding security bugs in Java," Ramani said. 

"It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment."

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Many organizations cannot disable Java...

    I think many organizations cannot disable Java on their machines for fear of losing access to business-critical applications built with the plugin...
    http://thedebtsreliefreviews.com
    • oh poor people

      what, complete IT sector will stop because of java?

      come one....
      ljenux
  • To be secure you need to uninstall it. There will be

    hundreds more security holes found in it. It's been that way for over a decade now both under sun and oracle Don't trust or do business with any company that still requires it.
    Johnny Vegas
    • Mind building a more secure and true alternative?

      If it's man-made software, there will always be a man-made exploit for it, simple as that. Only delusively secure software is one that isn't popular, so if you can, consider making your own Java alternative or quit whining about such flexible software...
      MrElectrifyer
  • He (Ramani) did say "fewer outstanding security bugs in Java,"

    WoW lets wait till 2018 and see if the statement than reads "were finally down to our last 100 bugs" than we all can go "WoW" their is hope in on the horizon.....................
    Over and Out
  • Too little too late

    Let's face it, the java browser plug-in is a security hole the size of the Holland Tunnel, while the applets that run the programs are resource hogs to high heavens.

    Let's hope bloatware java gets dumped along with Flash. Junk programming.
    CaviarRed
    • +1

      After failing to save the world as initially advertised, java needs to go to the software junkheap and die already. And ORCL's credibility in this regards is shot.
      beau parisi
  • James Gosling is worm ridden filth

    And to believe he ever said that C# was Java minus security. Riiiiiight.
    jackbond
  • It's about time!

    This has become an issue for us so having the policies and a greater level of control is welcome. It's so easy to say uninstall it or don't use it but when you support a number of clients with different systems that have been in place for years you can't simply pull the plug. C'mon guys...if you've worked in IT you know how it goes.
    Rob.sharp
  • Oracle outlines steps to improve Java home, enterprise security

    oracle unhackable mantra: "http://www.zdnet.com/invincible-oracle-not-so-secure-3040139729/." they were in possession of java for over a year now and they haven't have a clue as to what to do to secure it for the sake of keeping the mantra, and their sanity and of their user base.
    kc63092@...