To say Java is vulnerable to exploits would be the understatement of the year. In the first two months of 2013, the software was hit with three zero-day exploits. Oracle eventually fixed all of these exploits, but Oracle should have worked harder to make it more secure in the first place. In a better late than never move, the software maker will be doing just that.
Oracle announced in a blog post that it will align Java with its Critical Patch Update schedule in October of this year. In other words, Oracle will release four annual security fixes for Java instead of the three it releases now. For zero-days and other sudden exploits, Oracle will “retain the ability to issue emergency “out of band” security fixes.”
The above is part of a larger push to move Java into the Oracle Software Security Assurance program. The hope is that this will help prevent “the introduction of new vulnerabilities in the Java code base.” Oracle says that its developers will use more automated security testing tools alongside new analysis tools that will find certain types of vulnerabilities.
For consumers running Java on their browsers, Oracle will be introducing three changes into how it interacts with the browser:
On a final note, Oracle will also be increasing security for Java on servers to increase enterprise consumer trust in its services. The software maker points out that Java on servers is rarely affected by exploits, but it wants to take a better safe than sorry approach to the matter. It will do this by introducing what it calls Server JRE – a new Java distribution that removes vulnerable plugins. It will also work towards removing certain code libraries that are unnecessary for server distributions of Java.
All of the above makes it sound like Oracle is taking Java security very seriously. Of course, words and actions are two different things so we’ll have to see how Oracle reacts to emerging threats later this year when it implements its new security policies.