Oracle Is Improving Java Security
Java has had a long history of vulnerabilities. Just this year, cybercriminals used Java zero-days to exploit newfound vulnerabilities as part of targeted attacks against government organizations and institutions.
Through a recent blog post, Java developer Oracle, announced that it would be making the platform more secure by:
- Rolling out patches every three months starting October this year
- Using automated security testing tools on Java to detect new bugs and issues after every patch rollout
- Barring unsigned or self-signed apps from running
- Supporting Windows-enforced security policies
- Introducing a new, more secure Java distribution service created specifically for servers running Java apps
What This Means to You
Note Oracle's first three plans. The first, which promises the release of patches every three months, should help you quickly fix potential problems before cybercriminals can exploit them. This, coupled with Oracle's continuing distribution of out-of-band updates for critical vulnerabilities, ensures that cybercriminals will have a harder time carrying out zero-day attacks.
The second also addresses issues with bug fixes and patches. Automated security testing tools can help identify potential security gaps and allow Oracle to fix them in advance.
The third will, however, be most significant. Once enforced, attackers will have to acquire a code-signing key to get their malicious Java applets to run. This may not stop a determined attacker from abusing the platform but will prevent common Java exploits from functioning.
"This may not stop a determined attacker from abusing Java but will prevent common exploits from functioning."
Changes for the Better
While Oracle has not yet announced when the rollout will be, the move to improve shows its acknowledgment of the security issues plaguing Java. It also shows that it is taking steps to proactively rather than reactively solve the issue.
Despite Oracle's plans, you should still be careful whenever Java is concerned. Either update to the latest Java version and keep its security level "high" or uninstall it entirely. You can secure your Java-enabled computers with our help, of course.