Oracle Updates Java To Improve Plug-In Security2:41 PM EST Thu. Dec. 20, 2012
Oracle released a Java update intended to improve security to its plug-in, which has become such a favored attack surface for cybercriminals that many industry experts have recommended disabling it whenever possible.
The Oracle Java Development Kit 7 Update 10 (JDK 7u10) offers two new features likely to strengthen the security of networks in which Java is enabled.
The primary upgrade involves the ability to disable Java within the browser by custom configuration. In addition, a new control panel is intended to help channel partners and IT administrators define security parameters and to identify when their Java software is becoming outdated.
[Related: The 10 Biggest Security Stories Of 2012]
"The ability to turn off Java within the browser is a very positive development," said Qualys CTO Wolfgang Kandek. "If you ... cannot turn off Java in the browser, there are configuration settings that allow you to prohibit unsigned applets. Many times applets are not digitally signed. This is particularly true of malware, although they sometimes steal a certificate, which is pretty rare. This new feature helps to close that vulnerability, but it also forces developers to work more closely with the certificate authorities. So if you have internal applets that you use, you may need to set up a relationship with a certificate authority in order to leverage this feature."
Although Kandek acknowledges that the update is an improvement for the security of Java plug-ins, the enhancement does not change his primary guidance with respect to Java deployment in the first place.
"My recommendation is the same," he said. "If you don't need Java, you should not have it installed. Many companies have a standard software image that they give out to everybody. Basically, it is a superset of all the applications that anyone in the company would need. This simplifies deployment for the IT people, but it also means that some people are likely to get software that is not really necessary to what they do. Despite the fact that it makes matters easier, it is not really the proper way to deploy software," he said.
"You want the lowest number of programs on your standard image, and then add the things that are necessary to support the roles of the specific individuals. Even though there is extra effort in doing this, it will help to reduce the attack surfaces and thereby provide better security."
Kandek also noted that support for Java 6 will terminate early next year.
"At that point vulnerabilities will tend to accumulate, so it will be important to work towards the Java 7 migration, if you need to run Java at all."
PUBLISHED DEC. 20, 2012