Security Plans Set for Java

Monday, June 3, 2013 @ 04:06 PM gHale

For quite a period of time, Java has been a security disaster with one vulnerability after another. Oracle now wants to establish any kind of future plans so starting in October this year, the software giant will release Java security updates as part of its Critical Patch updates.

The announcement came as part of the company’s plans to revamp how it will secure Java over the coming years. Nandini Ramani, the lead for the Java platform software development team, outlined the scheduling and technical security plans.

Ransomware Uses Java Zero Day
Java Zero Day Exploits Ready to Go
Adobe Fixes Acrobat, Reader, Flash
Malware Targets Java HTTP Servers

On the scheduling front, Oracle plans bring Java in line with its critical patch update scheduling from October 2013. Java security updates have previously released on their own schedule, but with the increase in vulnerabilities closed in each update – in 2012, updates closed 58 holes, in the first half of 2013, updates have already closed 97 holes – Oracle wants to make the releases more regular and part of its quarterly Critical Patch Update.

Ramani said the company will retain its ability to issue fixes through its Security Alert program. That move is not a surprise as Oracle reworked Java version numbering to allow for regular updates. In addition to the regular updates, the Java team at Oracle is expanding its use of automated security tools and is working with “Oracle’s primary source code analysis provider” to use its tools in the Java environment.

Technically, Oracle’s focus is on the inherent problems with Java in the browser and its trust/privilege model. Ramani said a number of changes to restrict trust in Java applets, especially in the most recent release of Java 7 Update 21 – using signing to establish the identity of an applet’s author but not necessarily raising the applet’s privileges, discouraging the execution of unsigned or self-signed applets, and adding checks for certificate validity. That last feature ended up disabled by default because of performance concerns and Ramani only said it will be a default in the future.

Other plans for the future include blocking all unsigned and self-signed applets and implementing better dynamic blacklisting.

Ramani did say the company will be reducing the number of libraries shipped with Server JRE, which it quietly introduced with Java 7 Update 21. The Server JRE doesn’t include the Java plugin for browsers, the auto-update or installer, but Oracle wants to reduce potential attack surfaces further by removing other libraries “typically unnecessary for server operation.” These changes would be significant and Oracle said it has to work with the Java Community Process to get such changes agreed upon. Which libraries are under consideration for removal is not disclosed though likely candidates could include Java2D and font handling.

Server JRE will most likely have different exploitation risks and will make it easier to determine whether a security issue affects Java on the desktop or Java in the server. A Local Security Policy system will also come to Java “soon” which will give administrators control over security policy settings during installation and deployment of Java with, among other things, options to restrict applet execution to specific hosts.

Leave a Reply

You must be logged in to post a comment.