After a widely reported zero-day vulnerability affecting Java and another rumoured to be trading for $5,000, Oracle has admitted that there has been a "relative silence on the issue" around Java security.
Reza Rahman, technology evangelist at Oracle, said in a blog that there has been a veritable media firestorm around the recent Java vulnerability.
In a recent recording of a conference call, Milton Smith, security lead for Java, said that the priorities were "to get Java fixed up and to communicate our efforts widely". He said: “We really cannot have one without the other, no amount of talking or smoothing over is going to make anyone happy or do anything for us.
“We have to fix Java, and we have been doing that, and there are some things that are visible to the public as far as the number of changes and CPUs, as well as some security changes we added. A lot of the things that we are looking into are in relation to Java in the browser, as that is where we have seen most of the weaknesses.”
Speaking about ‘the communication plan', Smith said that there are plans but it needs to let engineers and its audiences know what is going on. “It is often frustrating for us to get a message out, so after we hit all the approvals, often understanding how to get a message out is challenging,” he said.
“I know communications has been a big concern for everybody and even internally, we understand that when we need to communicate and are open it is better received for us.”
Rahman said: “Hopefully it comes as some relief that Oracle is now starting to openly speak up on the issue.
“We can expect this to be the tip of the iceberg of what will be done on the Java security and communication fronts.”
Andrew Storms, director of security operations at nCircle, said: “Oracle's public admission that they have a security problem with the Java browser plug-in is a step forward. It's good to finally see Oracle acknowledge the seriousness of the situation. Unfortunately, we needed this admission a year ago before its customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb.
“The content in the Java security discussion was pretty lacklustre. You've got to wonder what role the Oracle press team has had in the company's response to all the security criticism they've had lately. I felt bad for the people representing Oracle on this call because they didn't sound well prepared. They didn't sound like they have a clear idea of what to do, what to say or even exactly who they were speaking to.”