Oracle’s Java Changes ‘Too Little, Too Late’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Security experts still think businesses should find alternatives as quickly as possible

Silicon Valley titan Oracle is trying to make amends for all of its Java flaws, but it is still drawing criticism from security experts.

Having issued a statement last week, outlining ways in which it was backing up the “security worthiness” of Java, Oracle has been told it is all “too little, too late”.

Java effort

java-flaw1Oracle admitted there had been “several reports of security vulnerabilities in Java”, when in reality there have been many more, some of which have been used to serve up the Blackhole exploit kit to give hackers control over users’ machines.

Larry Ellison’s firm said it had adopted “stricter procedures” to deal with the manifold issues, whilst critical patch updates have contained historically high numbers of fixes for Java.

It announced that from October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products. That means Java will get updated at least four times a year.

The vendor has made a number of other recent improvements to Java. A good way to exploit Java in the past has been to get users to run Java applets that give external hackers full control over victims’ machines. To address this Oracle has added warnings prior to applet execution where an old version of Java is running. It also allowed users to run signed applets without allowing them to run outside the sandbox.

The firm promised to block the execution of self-signed or unsigned code in Java in the near future, to block malicious outside actors.

Despite all this, Sophos’ John Hawes said “it’s taken too long to get this far though, and things are still moving far too slowly”.

“If something is this leaky and dangerous, there must be a better option. Granted, in some businesses with creaky legacy setups, it isn’t easy to adopt a new approach, but given how long this has been a major issue, many must be at least considering moving away from the platform,” he added, in a blog post.

“If Java is entrenched in your business, I’d suggest getting busy with looking for an alternative. If you’re still allowing it in your browser, just stop now.”

Are you a security guru? Try our quiz!