Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Oracle Talks Java Security, Pledges More Outreach to Java Community

Oracle’s approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

Oracle’s approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

In a public acknowledgement of these concerns, Oracle’s Milton Smith, head of Java security, held a conference call with members of the Java user community.

“The plan for Java security is really simple,” he said. “It’s to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can’t have one without the other.”

Oracle LogoEarlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.

In addition, during the weekend, researchers at Security Explorations uncovered another Java vulnerability that allows an attacker to execute unsigned Java code successfully on a target Windows system regardless of the Java Control Panel settings.

“Our Proof of Concept code that illustrates Issue 53 has been successfully executed in the environment of latest Java SE 7 Update 11 (JRE version 1.7.0_11-b21) under Windows 7 OS and with “Very High” Java Control Panel security settings,” explained Security Explorations CEO Adam Gowdiak in a post to the Full Disclosure mailing list.

Java Zero Day

In the conference call, Smith noted that Oracle added some new security features to Java in December. In Java 7u10, the company added the ability to disable any Java application running in the browser. The company also added the ability to set the desired level of security for unsigned applets, Java Web Start applications and embedded JavaFX applications running in a browser as well as new dialogs to warn users when the JRE is insecure.

According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security.

“No amount of talking or smoothing over is going to make anybody happy or do anything for us,” he said. “We have to fix Java.”

Andrew Storms, director of security operations for nCircle, called Oracle’s public discussion of the security challenges facing the Java browser plug-in a step forward.

“It’s good to finally see Oracle acknowledge that they have a seriousness of the situation,” he said. “Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb.”

Related: Java Zero Day Surfaces, Exploit Already Added to Popular Crimeware Toolkits

Related: Java Vulnerability Enables Bypass of Security Sandbox

Written By

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Endpoint Security

Red Hat announced on Tuesday the general availability of a malware detection service for Red Hat Enterprise Linux (RHEL) systems.