Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Oracle Talks Java Security, Pledges More Outreach to Java Community

Oracle’s approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

Oracle’s approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

In a public acknowledgement of these concerns, Oracle’s Milton Smith, head of Java security, held a conference call with members of the Java user community.

“The plan for Java security is really simple,” he said. “It’s to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can’t have one without the other.”

Oracle LogoEarlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.

In addition, during the weekend, researchers at Security Explorations uncovered another Java vulnerability that allows an attacker to execute unsigned Java code successfully on a target Windows system regardless of the Java Control Panel settings.

“Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with “Very High” Java Control Panel security settings,” explained Security Explorations CEO Adam Gowdiak in a post to the Full Disclosure mailing list.

Java Zero Day

In the conference call, Smith noted that Oracle added some new security features to Java in December. In Java 7u10, the company added the ability to disable any Java application running in the browser. The company also added the ability to set the desired level of security for unsigned applets, Java Web Start applications and embedded JavaFX applications running in a browser as well as new dialogs to warn users when the JRE is insecure.

According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security.

“No amount of talking or smoothing over is going to make anybody happy or do anything for us,” he said. “We have to fix Java.”

Advertisement. Scroll to continue reading.

Andrew Storms, director of security operations for nCircle, called Oracle’s public discussion of the security challenges facing the Java browser plug-in a step forward.

“It’s good to finally see Oracle acknowledge that they have a seriousness of the situation,” he said. “Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb.”

Related: Java Zero Day Surfaces, Exploit Already Added to Popular Crimeware Toolkits

Related: Java Vulnerability Enables Bypass of Security Sandbox

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...