Oracle sets out future Java security plans
From October 2013, Oracle will be releasing Java security updates as part of its Critical Patch updates. The announcement came as part of the company's plans to revamp how it will secure Java over the coming years. In a blog post, the lead for the Java platform software development team, Nandini Ramani, outlined both the scheduling and technical security plans.
On the scheduling front, Oracle plans bring Java in line with its critical patch update scheduling from October 2013. Java security updates have previously been released on their own schedule, but with the increase in vulnerabilities closed in each update – in 2012, updates closed 58 holes, in the first half of 2013, updates have already closed 97 holes – Oracle wants to make the releases more regular and part of its quarterly Critical Patch Update. Ramani says the company will retain its ability to issue fixes through its Security Alert programme. The move was to be expected after Oracle reworked Java version numbering to allow for regular updates. In addition to the regular updates, the Java team at Oracle is expanding its use of automated security tools and is working with "Oracle’s primary source code analysis provider" to use its tools in the Java environment.
Technically, Oracle's focus is on the inherent problems with Java in the browser and its trust/privilege model. Ramani points out a number of changes to restrict trust in Java applets, especially in the most recent release of Java 7 Update 21 – using signing to establish the identity of an applet's author but not necessarily raising the applet's privileges, discouraging the execution of unsigned or self-signed applets, and adding checks for certificate validity. That last feature is currently disabled by default because of performance concerns and Ramani only says that it will be made a default in the future. Other plans for the future include blocking all unsigned and self-signed applets and implementing better dynamic blacklisting.
What Ramani does say is that the company will be reducing the number of libraries that are shipped with the Server JRE, which it quietly introduced with Java 7 Update 21. The Server JRE doesn't include the Java plugin for browsers, the auto-update or installer, but Oracle wants to reduce potential attack surfaces further by removing other libraries "typically unnecessary for server operation". These changes would be significant and Oracle says it has to work with the Java Community Process to get such changes agreed upon. Which libraries are under consideration for removal is not disclosed though likely candidates could include Java2D and font handling.
It is expected that the Server JRE will have different exploitation risks and will make it easier to determine whether a security issue affects Java on the desktop or Java in the server. A Local Security Policy system will also be introduced to Java "soon" which will give administrators control over security policy settings during installation and deployment of Java with, among other things, options to restrict applet execution to specific hosts.