Oracle outlines steps to improve Java home, enterprise security

Following high-profile hacks and breaches at major technology companies, including Apple and Facebook, the Java maker is knuckling down on the Web plug-in's security.

Oracle is planning to change how it approaches Java fixes for security vulnerabilities, including adding centralized policy management with enterprise environment whitelisting functionality.

Read this

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Read More

It's hoped this effort will help to "decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment," and, "provide additional security protections for Java operating in the server environment," according to Oracle's Java platform software development team leader Nandini Ramani, writing in a blog post on Thursday.

While Ramani notes indirectly that some controversy stirred earlier this year following the successful hacking of Apple, Facebook, Microsoft and others, after systems running the Web plugin suffered zero-day attacks on previously unpatched vulnerabilities , the blog post centers on the "security worthiness of Java."

Oracle tooted its own trumpet by sticking one to Java's former owner, Sun Microsystems, stating that it had to adopt Oracle's own fix schedule in order to resolve issues in "priority order" and "within a certain period of time."

Ramani also noted that Java development "significantly accelerated the production of security fixes" following the 2010 acquisition of Sun. The enterprise software giant said it will continue to speed up the Java patching timeline from October in line with Oracle's other products. 

Also, "fuzzing" automated analysis tools have been developed by Oracle's primary provider of source code analysis in order to filter certain kinds of vulnerabilities. 

The Java maker added two major points on server security and enterprise deployments.

Many of Java's security problems have not affected servers, the blog post noted, which had "caused concern to organizations committed to Java applications running on servers." The company has taken steps to disassociate its browser-based Java version from server-based enterprise deployments.

With Java 7 (Update 21), the new Java distribution is now known as "Server JRE," which doesn't contain the Java browser plugin, auto-update, or the installer found in the regular Java release for home users.

On server and enterprise deployments, many organizations cannot disable Java on their machines for fear of losing access to business-critical applications built with the plugin. Local security policy features will be added to Java making it easier for system administrations to gain further control over security policy settings during the installation and deployment of Java in their organizations.

Such features will include reducing the risk of malware spreading from desktops, as well as server-managed whitelisting of Java applets that can be run on client machines.

The speed in which bugs are squashed have already led to "fewer outstanding security bugs in Java," Ramani said. 

"It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment."