Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Oracle Talks Java Security, Pledges More Outreach to Java Community

Oracle’s approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

Oracle’s approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

In a public acknowledgement of these concerns, Oracle’s Milton Smith, head of Java security, held a conference call with members of the Java user community.

“The plan for Java security is really simple,” he said. “It’s to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can’t have one without the other.”

Oracle LogoEarlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.

In addition, during the weekend, researchers at Security Explorations uncovered another Java vulnerability that allows an attacker to execute unsigned Java code successfully on a target Windows system regardless of the Java Control Panel settings.

“Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with “Very High” Java Control Panel security settings,” explained Security Explorations CEO Adam Gowdiak in a post to the Full Disclosure mailing list.

Java Zero Day

In the conference call, Smith noted that Oracle added some new security features to Java in December. In Java 7u10, the company added the ability to disable any Java application running in the browser. The company also added the ability to set the desired level of security for unsigned applets, Java Web Start applications and embedded JavaFX applications running in a browser as well as new dialogs to warn users when the JRE is insecure.

According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security.

“No amount of talking or smoothing over is going to make anybody happy or do anything for us,” he said. “We have to fix Java.”

Advertisement. Scroll to continue reading.

Andrew Storms, director of security operations for nCircle, called Oracle’s public discussion of the security challenges facing the Java browser plug-in a step forward.

“It’s good to finally see Oracle acknowledge that they have a seriousness of the situation,” he said. “Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb.”

Related: Java Zero Day Surfaces, Exploit Already Added to Popular Crimeware Toolkits

Related: Java Vulnerability Enables Bypass of Security Sandbox

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Stephanie Crowe has been appointed head of the Australian Cyber Security Centre (ACSC).

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.