Oracle’s approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.
In a public acknowledgement of these concerns, Oracle’s Milton Smith, head of Java security, held a conference call with members of the Java user community.
“The plan for Java security is really simple,” he said. “It’s to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can’t have one without the other.”
Earlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.
In addition, during the weekend, researchers at Security Explorations uncovered another Java vulnerability that allows an attacker to execute unsigned Java code successfully on a target Windows system regardless of the Java Control Panel settings.
“Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with “Very High” Java Control Panel security settings,” explained Security Explorations CEO Adam Gowdiak in a post to the Full Disclosure mailing list.
In the conference call, Smith noted that Oracle added some new security features to Java in December. In Java 7u10, the company added the ability to disable any Java application running in the browser. The company also added the ability to set the desired level of security for unsigned applets, Java Web Start applications and embedded JavaFX applications running in a browser as well as new dialogs to warn users when the JRE is insecure.
According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security.
“No amount of talking or smoothing over is going to make anybody happy or do anything for us,” he said. “We have to fix Java.”
Andrew Storms, director of security operations for nCircle, called Oracle’s public discussion of the security challenges facing the Java browser plug-in a step forward.
“It’s good to finally see Oracle acknowledge that they have a seriousness of the situation,” he said. “Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb.”