Oracle
plans to make changes to strengthen the security of Java, including
fixing its certificate revocation checking feature, preventing
unsigned applets from being executed by default and adding
centralized management options with whitelisting capabilities for
enterprise environments. These
changes, along with other security-related efforts, are intended to
"decrease the exploitability and severity of potential Java
vulnerabilities in the desktop environment and provide additional
security protections for Java operating in the server environment.
The development team has expanded the use of automated security testing
tools, facilitating regular coverage over large sections of Java
platform code. The team worked with Oracle's primary provider of
source code analysis services to make these tools more effective in
the Java environment and also developed so-called "fuzzing"
analysis tools to weed out certain types of vulnerabilities.
The
apparent lack of proper source code security reviews and quality
assurance testing for Java 7 was one
of the criticisms brought by security researchers in light
of the large number of critical vulnerabilities that were found in
the platform.The
changes were meant to discourage the execution of unsigned or
self-signed applets. "In the near future, by default, Java will
no longer allow the execution of self-signed or unsigned code."
Such
default behavior makes sense from a security standpoint considering
that most Java exploits are delivered as unsigned Java applets.
However, there have been cases of digitally
signed Java exploits being used in the
past and security researchers expect their number to increase.
Because of this it's important for the Java client to be able to check in real time the validity of digital certificates that were used to sign applets. At the moment Java supports certificate revocation checking through both certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP), but this feature is disabled by default.
Because of this it's important for the Java client to be able to check in real time the validity of digital certificates that were used to sign applets. At the moment Java supports certificate revocation checking through both certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP), but this feature is disabled by default.
Oracle
is making improvements to standardized revocation services to enable
them by default in a future release. Unlike most home users, many
organizations can't afford to disable the Java browser plug-in
because they need it to access Web-based business-critical
applications created in Java.
Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java. Even though the recent Java security issues have generally only impacted Java running inside browsers, the public coverage of them has also caused concern among organizations that use Java on servers.As a result, the company has already started to separate Java client from server distributions with the release of the Server JRE (Java Runtime Environment) for Java 7 Update 21 that doesn't contain the browser plug-in.
Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java. Even though the recent Java security issues have generally only impacted Java running inside browsers, the public coverage of them has also caused concern among organizations that use Java on servers.As a result, the company has already started to separate Java client from server distributions with the release of the Server JRE (Java Runtime Environment) for Java 7 Update 21 that doesn't contain the browser plug-in.
No comments:
Post a Comment