A few weeks ago, Oracle published a blog post stating that they were going to improve the security of Java. What exactly did Oracle say, and what does it mean for you?
Security Patches: Oracle says their recent patches have closed significantly more security holes than ever before. More importantly, Java’s update schedule has finally been brought in line with other Oracle products; patches will take place every three months starting this October. This will fix potential problems before attackers can exploit them. Oracle will continue to provide out-of-band updates for critical vulnerabilities as needed.
Java Security: Oracle brought Java under their Software Security Assurance Policies, which means that Oracle will be using automated security testing tools to prevent regressions and new issues from re-appearing after a bug is fixed. As a result, bugs will be patched much faster in the future.
Security in Browsers: Oracle has been trying to improve the security of Java in browsers. They will implement Java versions that prohibit unsigned or self-signed applications to run. This would be a significant increase in the security of Java because attackers will require a code-signing key to get their Java applets to run. It’s still uncertain exactly when this will happen.
Java Processes: Oracle is improving how Java revokes signature-signing processes. Eventually, you’ll be able to turn this on by default. In the future, enterprise users will have versions with added support enforced by Windows’ security policies. System administrators will be able to set network-wide policies to restrict Java usage without individual users having to do this.
In addition, a new type of Java distribution will be available. Server JRE is being created specifically for servers that run Java applications. It will remove multiple libraries to reduce potential attack surfaces.
Oracle recognizes the challenges with Java security, and is making changes for the better. They’re working hard to improve Java, and move forward.
Until Oracle has completed the changes within Java, all users are encouraged to update to the latest version of Java.
“[Your] professionalism in dealing with this situation at the Zero hour is definitely a rarity. Your team’s response was to take on a project that you had no prior knowledge of other than a customer was in a tight spot and needed assistance.”