5 Significant Java Security Improvements That Foil Attacks4:41 PM EST Tue. Jun. 04, 2013
Oracle has been under pressure to address gaping security vulnerabilities and configuration weaknesses in its Java Runtime Environment, which has become the most widely exploited software platform on the Internet. In addition to revamping its internal incident response and software patching procedures, the software giant has introduced restrictions and stronger certificate validation processes, making it more difficult for an attacker to target a vulnerability. Security experts are embracing the changes, but they say Oracle needs to implement stronger sandboxing. A stronger Java applet container would prevent malicious code from escaping and allowing an attacker access to a victim's machine. But, the security improvements are still significant. Here are the five biggest changes to the platform.
Oracle recommends websites switch to signed Java applets, a practice that establishes the identity of the signer and was used to boost privileges. It also reduced the effectiveness of the sandbox. In a move seen as one of the most significant security improvement, code signing an applet no longer confers sandbox escape privileges. Metasploit creator and Rapid7 CSO HD Moore said the practice of signing applets has been targeted by attackers and consistently abused by security auditors for years.
Oracle said it is discouraging the use of unsigned or self-signed Java applets. Oracle said future versions will no longer allow the execution of self-signed or unsigned code. That means users will be prompted to manually run an unsigned applet. Rapid7's Moore said the change also centralizes management of Java security policies and allows developers to whitelist specific websites.
Oracle said it will make it easier to revoke the digital certificates of signed applets by enabling standardized revocation services by default. Signed applets will be checked against Certificate Revocation Lists or the Online Certificate Status Protocol each time they run. The functionality to inspect the chain of trust has been available but turned off by default because of performance issues. Oracle said it also improved its blacklisting functionality to allow daily updates for both blacklisted Java archive files and certificates.
Oracle introduced Server JRE in Java 7 update 21 to separate client-side, browser use of Java, affecting primarily home users from server-side Java implementations. The new Server JRE distribution removes plugins to reduce the attack surface and the customer confusion when evaluating risk factors, Oracle said, adding that it plans to also remove certain libraries typically unnecessary for server operation.
Oracle said enterprise deployment to Java will soon be updated to enable system administrators to control policy settings during installation and deployment throughout the organization. The system administrator can restrict certain Java applets from running, applying whitelisting functionality for Java applets from corporate servers or partners.