Oracle plans to talk down Java security concerns
It appears that Oracle wants to talk about Java security concerns, but it also appears it doesn't have anything to tell users worried about Java's vulnerability in the browser. In a recent conference call (MP3 file) to Java User Group leaders, Oracle's lead for Java Security, Martin Smith, said the Oracle plan for Java security is "to get Java fixed up and number two to communicate our efforts widely".
Billed by others in Oracle as the breaking of Oracle's silence on the issue, Smith said "we have to fix Java and we have been doing that", referring to recent updates and the adding of security features. This started with Java 7 Update 10 which set out to stop drive-by attacks from unsigned applets by always making them prompt before being allowed to run. The update also made it easier to deactivate Java in the browser.
Oracle's focus is on Java in the browser, but Smith went into no further detail over what technical plans they had for the Java runtime. Some security researchers have called on Oracle to set out a plan which would see better isolation of Java applets and a detailed examination of the low level language elements which enabled the recent attacks, but there was nothing on those subjects.
Smith appeared to be much more forthcoming on communications; he wanted to get the JUG leaders and others to help Oracle to communicate a message to engineers, data centre operators and other Java users. But, there was no actual message to be communicated; just plans for interviews and appearances at conferences. "I don't have too much in the way of what we to communicate just yet", said Smith.
Oracle's Doland Smith from the OpenJDK team, also mentioned that the company understood the concerns over the installation of toolbars which had arisen in the wake of the security issues. He pointed out that the toolbar installation was something that it inherited from Sun and it was "constantly re-evaluating" the relationship with the toolbar owners but dropping it would be difficult and involves "real constraints" on how the company could work. He also said he could not explain why the toolbar installation in the Java installer starts up ten minutes after Java has been installed.
Whether Oracle will be able to overcome its traditional reluctance to talk openly about security issues and work with researchers and others outside the company is unclear. "They didn’t sound like they have a clear idea of what to do, what to say or even exactly who they were speaking to", said nCircle's director of security operations, Andrew Storms, adding, "If this is the kind of security communication we can expect from Oracle in the future then Oracle customers are not better off."