Monday, January 28, 2013

Leader of Java Security Program Addresses Recent Concerns

Milton Smith, leader of Oracle's Java security program, held a public conference call with worldwide JUG leaders on January 24, 2013, to talk about Oracle's plan for Java security.  The call was an acknowledgement of a recent series of security vulnerabilities that have plagued the web browser plug-in.  For example, a new zero-day exploit surfaced on January 10 that targeted all version of Java 7, including the latest version of Java at the time, Java 7 Update 10.  A few days later, Oracle released an out-of-cycle Java update, Java 7 Update 11, to address the new exploit.  Within a week, however, security researchers had discovered new vulnerabilities with Java 7 Update 11, the end result being the recommendation by many organizations to disable Java, or to completely remove it from end-user systems.

Mr. Smith began the call by saying, "The plan for Java security is really simple.  It's to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can't have one without the other."

During the call, Mr. Smith highlighted new security features introduced with Java 7 Update 10, such as support for a security slider in the Java Control Panel, and a new check box to turn Java on/off on the desktop.  He said that the focus is on Java in the browser, "that is really the concern we are targeting".

Mr. Smith expressed Oracle's interest in improving communication efforts with the Java community about security.  He said, "We have alot of things that we're looking at.  We are going to talk about some ideas that I have, and people can comment on those, or what they think will work. I would be very much interested in that."

"No amount of talking or smoothing over is going to make anybody happy or do anything for us," he said. "We have to fix Java, and we have been doing that."

No comments:

Post a Comment