Oracle reveals plans for Java security improvements

The company will make changes that suggest it's listening to feedback from the security research community

By Lucian Constantin, IDG News Service |  Security

Oracle plans to make changes to strengthen the security of Java, including fixing its certificate revocation checking feature, preventing unsigned applets from being executed by default and adding centralized management options with whitelisting capabilities for enterprise environments.

These changes, along with other security-related efforts, are intended to "decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment," said Nandini Ramani, vice president of engineering for Java Client and Mobile Platforms at Oracle, in a blog post on Thursday.

Ramani's blog post, which discusses "the security worthiness of Java," indirectly addresses some of the criticism and concerns raised by security researchers this year following a string of successful and widespread attacks that exploited zero-day -- previously unpatched -- vulnerabilities in the Java browser plug-in to compromise computers.

Ramani reiterated Oracle's plans to accelerate the Java patching schedule starting from October, aligning it with the patching schedule for the company's other products, and revealed some of the company's efforts to perform Java security code reviews.

"The Java development team has expanded the use of automated security testing tools, facilitating regular coverage over large sections of Java platform code," she said. The team worked with Oracle's primary provider of source code analysis services to make these tools more effective in the Java environment and also developed so-called "fuzzing" analysis tools to weed out certain types of vulnerabilities.

The apparent lack of proper source code security reviews and quality assurance testing for Java 7 was one of the criticisms brought by security researchers in light of the large number of critical vulnerabilities that were found in the platform.

Ramani also noted the new security levels and warnings for Java applets -- Web-based Java applications -- that were introduced in Java 7 Update 10 and Java 7 Update 21 respectively.

These changes were meant to discourage the execution of unsigned or self-signed applets, she said. "In the near future, by default, Java will no longer allow the execution of self-signed or unsigned code."

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question