Not good enough, Oracle – promises to secure Java are too little, too late


java-170Oracle has promised to work harder to make Java more secure.

Given the constant flood of high-profile, heavily-exploited vulnerabilities, are Oracle’s new ideas going to be enough to save this piece of software from drowning in bad vibes?

In a lengthy blog post last week, the head of Java development, Nandini Ramani, summed up what’s been done to “address issues with the security-worthiness of Java”.

A passing mention is made to “several reports of security vulnerabilities in Java”.

That “several” refers to a constant barrage of vulnerabilities, patches, zero-days, more patches and more vulnerabilities, going back several years.

Oracle blog post

Java has been been home to a glut of security dangers for a long time now. In our Virus Bulletin prevalence reports, we combine data from a wide range of sources, and Java has been in the top five all this year and was the third biggest detection type overall in 2012.

Thanks to its cross-platform design, Java holes can hit multiple operating systems and have been behind some of the most high-profile and damaging attacks of the last year or two.

There are a few positive things to note in Oracle’s blog post, such as the separation of client and server-side, and improved (though far from perfect) sandboxing, as many vulnerability experts have conceded.

Increasing patch releases to four times a year (plus extras in emergencies) is, of course, a step in the right direction, although the industry widely agrees that monthly would be better. Sure, frequent patch cycles are a headache for admins, but surely it’s better to have a small headache once a month than a massive migraine four times a year.

So, I suppose it is a good thing that Oracle are trying to face up to the problems with Java, even if it is pushing much of the blame onto issues at Sun, before the Oracle acquisition. It’s taken too long to get this far though, and things are still moving far too slowly.

spilt-coffee-170The standard advice from Naked Security has long been to disable Java in the browser at least, and to avoid installing it at all if it’s not *absolutely* required.

If something is this leaky and dangerous, there must be a better option. Granted, in some businesses with creaky legacy setups, it isn’t easy to adopt a new approach, but given how long this has been a major issue, many must be at least considering moving away from the platform.

For some time now, numerous voices have advocated dropping Java and called for its rapid retirement, as the tragic roller-coaster of disasters has unfolded. Now Oracle says they’re stepping up to the plate, ready to do what they can to fix it, but surely it’s a case of too little, too late.

If Java is entrenched in your business, I’d suggest getting busy with looking for an alternative. If you’re still allowing it in your browser, just stop now.