Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Oracle reveals plans for Java security improvements

Lucian Constantin | June 3, 2013
The company will make changes that suggest it's listening to feedback from the security research community.

"The feature is not enabled by default because of a potential negative performance impact," Ramani said. "Oracle is making improvements to standardized revocation services to enable them by default in a future release."

The company is also working on adding centrally managed whitelisting capabilities to Java, which will help businesses control what websites are allowed to execute Java applets inside browsers running on their computers.

Unlike most home users, many organizations can't afford to disable the Java browser plug-in because they need it to access Web-based business-critical applications created in Java.

"Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization," Ramani said. "The policy feature will, for example, allow system administrators to restrict execution of Java applets to those found on specific hosts (e.g., corporate server assets, partners, etc.) and thus reduce the risk of malware infection resulting from desktops accessing unauthorized and malicious hosts."

Even though the recent Java security issues have generally only impacted Java running inside browsers, the public coverage of them has also caused concern among organizations that use Java on servers, Ramani said.

As a result, the company has already started to separate Java client from server distributions with the release of the Server JRE (Java Runtime Environment) for Java 7 Update 21 that doesn't contain the browser plug-in.

"In the future, Oracle will explore stronger measures to further reduce attack surface including the removal of certain libraries typically unnecessary for server operation," Ramani said. However, those changes are likely to come in future major versions of Java since introducing them now would violate current Java specifications, she said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.