Milton Smith, leader of Oracle's Java security program, held a public conference call with worldwide JUG leaders on January 24, 2013, to talk about Oracle's plan for Java security. The call was an acknowledgement of a recent series of security vulnerabilities that have plagued the web browser plug-in. For example, a new zero-day exploit surfaced on January 10 that targeted all version of Java 7, including the latest version of Java at the time, Java 7 Update 10. A few days later, Oracle released an out-of-cycle Java update, Java 7 Update 11, to address the new exploit. Within a week, however, security researchers had discovered new vulnerabilities with Java 7 Update 11, the end result being the recommendation by many organizations to disable Java, or to completely remove it from end-user systems.
Mr. Smith began the call by saying, "The plan for Java
security is really simple. It's to get Java fixed up number one, and
then number two, to communicate our efforts widely. We really can't have
one without the other."
During the call, Mr. Smith highlighted new security features
introduced with Java 7 Update 10, such as support for a security slider
in the Java Control Panel, and a new check box to turn Java on/off on
the desktop. He said that the focus is on Java in the browser, "that is
really the concern we are targeting".
Smith expressed Oracle's interest in improving communication efforts
with the Java community about security. He said, "We have alot of
things that we're looking at. We are going to
talk about some ideas that I have, and people can comment on those, or
what they think will work. I would be very much interested in that."
"No amount of talking or smoothing over is going to make
anybody happy or do anything for us," he said. "We have to fix Java, and
we have been doing that."