Oracle's Java security improvements don't quite satisfy

Oracle's plans to bolster Java security were welcomed by security experts who nevertheless wanted to see more done to lockdown one of hackers' favorite targets.

The Java steward released on Thursday its priorities for the application platform. The changes on tap included automated checking of the validity of signed certificates, stopping unsigned applets from being executed by default and adding centralized management options. The latter included whitelisting of applets in enterprise environments.

The upcoming changes, as well as other security efforts outlined in Oracle's Software Security Assurance Blog, were categorized on Friday by security experts as necessary improvements that were far from definitive.

"No one step Oracle is taking stands out as a silver bullet that will cure Java security issues," said Paul Henry, a security and forensic analyst with Lumension. "That being said, each with one exception is a step in the right direction."

That exception was Oracle's decision to release Java patches on a quarterly basis, although the company said it would make exceptions for highly critical zero-day vulnerabilities. Given the number of flaws Oracle is patching -- 97 so far this year -- a quarterly release is too much of a burden for corporate security pros, Henry said.

"With the patch load we have seen historically, it may be better and faster to adopt a monthly cycle as Microsoft has done for years," he said.

HD Moore, chief research officer for Rapid7, said he believed the changes in the handling of applets was the most important piece of Oracle's announcement. In the past, signed applets could run outside of the Java sandbox. Oracle plans to no longer make that possible.

"Oracle is changing this model so that signing an applet no longer confers sandbox escape privileges," Moore said. "This is a good thing for security."

However, Moore wanted to see more improvements related to the Java sandbox, such as adoption of the more secure technology used in Adobe Reader and Google Chrome.

[Also see: Java security woes to stay with businesses for a long time]

"A malicious applet with a valid signature can still abuse JRE (Java Runtime Environment) security flaws to escape the sandbox and compromise the system," Moore said.

Andrew Storms, director of IT and security operations for Tripwire, said a change he liked was splitting the Java distribution in two, one for the client computer and browser and the other for the server, where corporations run their Java-based business applications.

"It's a smart move to differentiate the two parts of Java, because that has always been pretty confusing for all end users," Storms said.

Oracle, which acquired Java with the purchase of Sun Microsystems in 2010, has been criticized for sometime by security pros for moving too slowly to stop Java exploits.

The spotlight was turned on the problem in January when a previously unknown flaw actively exploited by cybercriminals prompted the Department of Homeland Security to advise consumers to disable Java on their PCs. The DHS warning was the same advocated by security experts for quite awhile.

While the security problems mostly involved the Java browser plug-in, the extensive publicity raised concern among Oracle's corporate customers. As a result, Oracle has started to show progress in handling Java security, experts say.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityData Protection | Application SecurityAccess control and authenticationjavasoftwaredata protectionOracle

More about Adobe SystemsAndrew Corporation (Australia)GoogleLumensionMicrosoftOracleRapid7Sun MicrosystemsTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts