Skip to main content

Oracle security chief pledges to "fix" Java

Oracle has pledged to fix the issues in Java and to improve how it communicates with users.

The database giant will "get Java fixed up" to improve security, Milton Smith, Java security lead at Oracle, said during a conference call with Java User Group leaders last week. The conference call came a few weeks after researchers uncovered various attacks exploiting serious vulnerabilities in Java. Even after the company rushed out an emergency update to patch the flaws, researchers found additional bugs.

"No amount of talking or smoothing over is going to make anybody happy. We have to fix Java," Smith said on the call.

Security experts have long advised users who don't regularly access websites to go ahead and disable Java in their web browsers. The Department of Homeland Security's Computer Emergency Response Team reiterated the recommendation earlier this month.

"This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered," according to the CERT advisory. "To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available," CERT wrote.

Smith acknowledged that most Java-based attacks recently have targeted Java applications running within the browser. "That's really the biggest target now," he said.

Oracle added Java to its portfolio after the $7.4 billion (£4.7bn) acquisition of Sun Microsystems in 2009. Critics often blast Larry Ellison's company for being tight-lipped about its product plans, and Java was no exception. However, Smith said the company will "communicate our efforts widely," so that major user groups are aware of the changes being made and how they affect Java, Smith said. For example, people aren't aware of the "significant" security improvements to Java which prevents silent exploits, he noted.

Oracle hasn't figured out exactly what it will do, but Smith suggested one option could have Oracle communicating with Java user group leaders and have the leaders disseminate information back to the membership. Oracle needs to be communicating with a wide audience, which include consumers, IT professionals, and engineers, Smith said.