In a blog post late last week, Nandini Ramani, head of the software development team that builds the Javaplatform, acknowledged the problems that have affectedJava running in Web browsers and outlined three significant steps her company would be ...
No Java Patch For You: 93 Percent Of Users Run Older Versions Of TheDark Reading
Researchers find Java users woefully tardy on patchingCSO
Oracle Promises Enterprise Java Security TweaksInformationWeek SMB (blog)
SC Magazine -Register -Naked Security
In a blog post late last week, Nandini Ramani, head of the software development team that builds the Java platform, acknowledged the problems that have affected Java running in Web browsers and outlined three significant steps her company would be taking to get Java's security headaches managed.
The most significant outward change will be the addition of another scheduled update every year for Java, ramping up the number of scheduled updates from the current three per year to four per year. The new update has already happened for 2013, when the Critical Patch Update for Java SE happened in April.
Beginning with the October 2013 scheduled update, the Java update schedule will align with the quarterly Oracle Critical Patch Update program that's already in place for every other Oracle product, Ramani explained.
"Obviously, Oracle will retain the ability to issue emergency 'out of band' security fixes through the Security Alert program," she added.
Another change to the Java platform has been alterations to the browser trust/privileges model, which, upon the release of JDK 7 Update 21 back in April, included changes to the default security settings to "discourage the execution of unsigned or self-signed applets," Ramani outlined.
In addition, Oracle is planning to increase its investment in the Java organization so the team will have "the ability to more quickly respond to reports of 0-days and other particularly severe vulnerabilities."
Ramani's blog entry does a good job outlining the myriad of plans designed to get Java's security problems under control. What is stunning, though, about these changes is that they took this long to get implemented. Ramani herself raised the issue:
Whenever Oracle makes an acquisition, acquired product lines are required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance. As a result, for example, the Java development organization had to adopt Oracle’s Security Fixing Policies, which among other things mandate that issues must be resolved in priority order and addressed within a certain period of time.This is all well and good, but given that Oracle started the process of acquiring Sun Microsystems in the spring of 2009 and completed the acquisition 42 months ago in January 2010, that's a long time to get Java's security policies aligned with Oracle's.
It is not clear what the cause of the delay was, but given the widespread use of Java, the platform is probably one of the most - if not the most - important technology Oracle picked up with Sun. It would be nice if they could actually start treating it with the priority it deserves.