Oracle has said that making Java more secure is a priority, as it lines up regular patch updates.
Oracle has released four security patches so far this year, and according to a blog post by Nandini Ramani from the software development team for the Java platform, Java will now issue four annual security releases, as well as retain the ability to issue emergency ‘out of band' security fixes.
Ramani said: “Oracle's additional investments have provided the organisation with the ability to more quickly respond to reports of zero-days and other particularly severe vulnerabilities. Java development has gained the ability to produce and test individual security fixes more quickly as evidenced by the quick releases of the most recent Java Security Alerts.
“In other words, the procedural and technical changes implemented throughout Java development have enabled the organisation to make improvements affecting both the critical patch update program (scheduled release of a greater number of security fixes) and the security alert program (faster release of unscheduled security fixes in response to zero-days or particularly severe vulnerabilities).”
Ramini said that Oracle is also addressing the limitations of the existing Java in browser trust/privileges model with product enhancements to default security settings to provide more user control over security.
These include enhanced security warnings before executing applets with an old Java runtime and a security slider configuration option in JDK 7 Update 10 for automatic security expiration of older Java versions. Other changes include establishing the identity of the signer in applets in JDK 7 Update 21 so signed applets can be run outside the sandbox and allowing users can prevent the execution of any applets if they are not signed.
Default plug-in security settings were changed to further discourage the execution of unsigned or self-signed applets.
Ramini also said that while the security problems affecting Java in browsers have generally not impacted Java running on servers, Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organisations committed to Java applications running on servers.
“As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g. affecting home users) and server use (e.g. affecting enterprise deployments),” Ramini said.
Soon to be added will be local security policy features to allow system administrators to gain additional control over security policy settings during Java installation and deployment, and allow system administrators to restrict execution of Java applets to those found on specific hosts. Stronger measures have been proposed to further reduce attack surface, including the removal of certain libraries typically unnecessary for server operation.
Ramini said that such significant measures cannot be implemented in current versions of Java as they would violate current Java specifications.
“It is our belief that as a result of this ongoing security effort, we will decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment,” Ramini said.
“Oracle's effort has already enabled the Java development team to deliver security fixes more quickly, resulting in fewer outstanding security bugs in Java.”