Oracle adds long-awaited whitelisting capabilities to Java

Java 7 Update 40 allows system administrators to define which specific Java applets should be trusted and executed

By Lucian Constantin, IDG News Service |  Endpoint Security

"The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment," Oracle said in the feature's documentation. "If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java."

Companies will need to install Java 7u40 in order to use the new feature, but the feature can be used to create rules that force certain RIAs to be executed with older Java versions installed on the same computers. This will allow companies to maintain compatibility for older applications.

It's a great first step, but right now the level of knowledge required to create and deploy the rule sets limit the feature's use to well-structured IT departments with good control over their systems, said Wolfgang Kandek, the CTO of vulnerability management firm Qualys. However, for an experienced system administrator deploying it should not be a problem, he said.

The feature is for managed environments, Kandek said. Home users should always upgrade to the latest version of Java, but if you are a system administrator and you need to maintain older versions of Java, then this might be an option, he said.

It's a great mechanism for whitelisting Java Web applications, because it's browser independent, Kandek said. Until now, companies had to use different methods for different browsers in order to do this, he said.

The functionality needs to be refined as far as management goes, but Qualys' customers who were asked about it expressed their interest in it, Kandek said. One of those companies runs an older Java version on around 2,000 of its 12,000 machines and is worried about employees visiting malicious websites that would try to exploit that, he said.

Kandek believes that the new feature is one of several signs that things are moving in the right direction at Oracle, security wise. However, other researchers feel that Oracle should do more to fix Java's security issues at the code level.

It's easier to eliminate the Java plug-in as an attack vector through various GUI (graphical user interface) and policy-based "security enhancements" than to clean up the code and re-architect the platform to strengthen its security stance, Adam Gowdiak, the founder of Polish vulnerability research firm Security Explorations, said via email.

Gowdiak and his company have found many critical vulnerabilities in Java during the past two years.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness