Oracle looking to improve Java security

Oracle’s Java, in its current form, is hardly the most secure of platforms. With huge breaches and exploits seemingly every week; the firm is looking to improve security.

The latest tactic by cybercriminals tricks users into running malicious code through a “signed” applet.


A website belonging to Chemnitz University of Technology in Germany was the latest found to be infected with the “g01pack” exploit, found by security researcher Eric Romang.

This type of exploit is just one of the security improvements planned by Oracle; which relates to fixing its certificate revocation checking. Other plans include; preventing unsigned apps from running by default, and adding a centralised management option with whitelisting for enterprises.

Certificate revocation already has a solution in the form of certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP), but is disabled by default due to performance issues. Once standardised; they will be enabled by default.

For enterprises, Oracle will allow more management to control which websites are allowed to run applets in the browsers on the computers. Due to many web-based tools running on Java which are critical to business, disabling altogether may not be feasible for many companies.

Nandini Ramani, vice president of engineering for Java Client and Mobile Platforms at Oracle, said in a blog post the changes are to “decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment.”

Oracle will be hoping the blog post entitled "the security worthiness of Java" will help re-assure critics Java is a secure platform and steps are being taken to ensure it is only improved upon going forward.

Part of this progression will be more routine patching of security flaws from October; automated testing tools will help find these vulnerabilities to terminate them before they become a widespread problem.

To show Oracle’s dedication to fixing these so far, the company has listed their changes from last year; a February 2012 patch fixed 14 issues, June a further 14, whilst October’s heralded 30.

Moving into this year their efforts were further ramped up; in February 55 fixes were made, and in April 42 were squashed.

Is Oracle doing enough to fix the security issues with Java? Have you personally run into any problems?
Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.