{"id":2409,"date":"2013-06-01T12:00:00","date_gmt":"2013-06-01T16:00:00","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=2409"},"modified":"2013-06-01T12:00:00","modified_gmt":"2013-06-01T16:00:00","slug":"oracle-reveals-plans-for-java-security-improvements","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2013\/06\/01\/oracle-reveals-plans-for-java-security-improvements\/","title":{"rendered":"Oracle reveals plans for Java security improvements"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Oracle plans to make changes to strengthen the security of Java, including fixing its certificate revocation checking feature, preventing unsigned applets from being executed by default and adding centralized management options with whitelisting capabilities for enterprise environments.
\nThese changes, along with other security-related efforts, are intended to \u201cdecrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment,\u201d said Nandini Ramani, vice president of engineering for Java Client and Mobile Platforms at Oracle, in a blog post on Thursday.
\nRamani\u2019s blog post, which discusses \u201cthe security worthiness of Java,\u201d indirectly addresses some of the criticism and concerns raised by security researchers this year following a string of successful and widespread attacks that exploited zero-day\u2014previously unpatched\u2014vulnerabilities in the Java browser plug-in to compromise computers.
\nRamani reiterated Oracle\u2019s plans to accelerate the Java patching schedule starting from October, aligning it with the patching schedule for the company\u2019s other products, and revealed some of the company\u2019s efforts to perform Java security code reviews.
\nsecurity<\/p>\n

\u201dThe Java development team has expanded the use of automated security testing tools, facilitating regular coverage over large sections of Java platform code,\u201d she said. The team worked with Oracle\u2019s primary provider of source code analysis services to make these tools more effective in the Java environment and also developed so-called \u201cfuzzing\u201d analysis tools to weed out certain types of vulnerabilities.<\/p>\n

\"\"<\/a><\/p>\n

The apparent lack of proper source code security reviews and quality assurance testing for Java 7 was one of the criticisms brought by security researchers in light of the large number of critical vulnerabilities that were found in the platform.
\nRamani also noted the new security levels and warnings for Java applets\u2014Web-based Java applications\u2014that were introduced in Java 7 Update 10 and Java 7 Update 21 respectively.
\nThese changes were meant to discourage the execution of unsigned or self-signed applets, she said. \u201cIn the near future, by default, Java will no longer allow the execution of self-signed or unsigned code.\u201d
\nSuch default behavior makes sense from a security standpoint considering that most Java exploits are delivered as unsigned Java applets. However, there have been cases of digitally signed Java exploits being used in the past and security researchers expect their number to increase.
\nBecause of this it\u2019s important for the Java client to be able to check in real time the validity of digital certificates that were used to sign applets. At the moment Java supports certificate revocation checking through both certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP), but this feature is disabled by default.
\n\u201dThe feature is not enabled by default because of a potential negative performance impact,\u201d Ramani said. \u201cOracle is making improvements to standardized revocation services to enable them by default in a future release.\u201d
\nThe company is also working on adding centrally managed whitelisting capabilities to Java, which will help businesses control what websites are allowed to execute Java applets inside browsers running on their computers.
\nUnlike most home users, many organizations can\u2019t afford to disable the Java browser plug-in because they need it to access Web-based business-critical applications created in Java.
\n\u201dLocal Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization,\u201d Ramani said. \u201cThe policy feature will, for example, allow system administrators to restrict execution of Java applets to those found on specific hosts (e.g., corporate server assets, partners, etc.) and thus reduce the risk of malware infection resulting from desktops accessing unauthorized and malicious hosts.\u201d
\nEven though the recent Java security issues have generally only impacted Java running inside browsers, the public coverage of them has also caused concern among organizations that use Java on servers, Ramani said.
\nAs a result, the company has already started to separate Java client from server distributions with the release of the Server JRE (Java Runtime Environment) for Java 7 Update 21 that doesn\u2019t contain the browser plug-in.
\n\u201dIn the future, Oracle will explore stronger measures to further reduce attack surface including the removal of certain libraries typically unnecessary for server operation,\u201d Ramani said. However, those changes are likely to come in future major versions of Java since introducing them now would violate current Java specifications, she said.
\nvia Oracle reveals plans for Java security improvements | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Oracle plans to make changes to strengthen the security of Java, including fixing its certificate revocation checking feature, preventing unsigned […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[341,583,782,1178],"class_list":["post-2409","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-exploit","tag-java","tag-oracle","tag-vulnerability"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-CR","jetpack-related-posts":[{"id":5980,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/15\/future-java-7-security-patches-will-work-on-windows-xp-despite-end-of-official-support\/","url_meta":{"origin":2409,"position":0},"title":"Future Java 7 security patches will work on Windows XP despite end of official support","author":"NCCT","date":"July 15, 2014","format":false,"excerpt":"Oracle has dispelled rumors that the upcoming security update for Java 7 and those it will release in the future might not work on Windows XP. \u201cWe expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7766,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/03\/10\/playing-minecraft-no-longer-makes-your-pc-a-juicy-target-for-hackers\/","url_meta":{"origin":2409,"position":1},"title":"Playing Minecraft no longer makes your PC a juicy target for hackers","author":"NCCT","date":"March 10, 2015","format":false,"excerpt":"The folks at Microsoft-owned Mojang just gave PC users one more reason to uninstall Java from their systems. The Minecraft launcher for PC now installs and manages its own instance of Oracle\u2019s software. The version of Java the new Minecraft launcher uses is contained within the game\u2019s directory\u2014meaning you no\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":2409,"position":2},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7751,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/03\/06\/more-iot-insecurity-this-blu-ray-disc-pwns-pcs-and-dvd-players\/","url_meta":{"origin":2409,"position":3},"title":"More IoT insecurity: This Blu-ray disc pwns PCs and DVD players","author":"NCCT","date":"March 6, 2015","format":false,"excerpt":"For more than a decade, malicious hackers have used booby-trapped USB sticks to infect would-be victims, in rare cases to spread virulent, self-replicating malware on air-gapped computers inside a uranium enrichment plant. Now, a security researcher says he has found a way to build malicious Blu-ray discs that could do\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":6231,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/08\/11\/microsoft-to-issue-many-windows-patches\/","url_meta":{"origin":2409,"position":4},"title":"Microsoft to issue many Windows patches","author":"NCCT","date":"August 11, 2014","format":false,"excerpt":"Microsoft has released their advance notification for the August 2014 Patch Tuesday updates. There will be a total of nine updates issued next Tuesday, August 12, two of them rated critical. The two critical bugs affect Windows and Internet Explorer. The critical Windows update affects only business and professional editions\u2026","rel":"","context":"In "Microsoft"","block_context":{"text":"Microsoft","link":"https:\/\/nccomputertech.com\/techtalk\/category\/microsoft\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":8751,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/11\/16\/state-sponsored-cyberspies-inject-victim-profiling-and-tracking-scripts-in-strategic-websites\/","url_meta":{"origin":2409,"position":5},"title":"State-sponsored cyberspies inject victim profiling and tracking scripts in strategic websites","author":"NCCT","date":"November 16, 2015","format":false,"excerpt":"By Lucian Constantin | PCWorld Web analytics and tracking cookies play a vital role in online advertising, but they can also help attackers discover potential targets and their weaknesses, a new report shows. Security researchers from FireEye have discovered an attack campaign that has injected computer profiling and tracking scripts\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2409","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=2409"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/2409\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=2409"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=2409"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=2409"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}