Oracle has announced improvements to Java that are expected to harden a software line with a checkered security past.
Nandini Ramani, Java's lead for software development, detailed the enhancements which came with the April release of Java 7u21.
The company has changed the way signed applets – small programs that can be embedded on a web page – will operate in Java. In the past, signing applets was synonymous with giving the application increased privileges.
Now signing an applet only "establishes the identity of the signer," without automatically giving them more privileges to bypass security measures – a move that could limit the ability for attackers to execute malware.
HD Moore, chief research officer at vulnerability management company Rapid 7, said this was a big accomplishment. The sandboxing technology could help keep one malicious applet from compromising an entire system.
“It forces signed applets to run at standard sandboxing privileges,” Moore said. “It's fixing a glaring error in [its policies].”
In addition, Java's default plug-in security settings were upgraded, so signed applets can run outside the sandbox, allowing users to stop unsigned applets from being executed.
A third applet policy change consists of Oracle maintaining a daily list of compromised .jar files and certificates it has blacklisted.
In addition, Ramani said future Java updates would be released four times a year as part of Oracle's quarterly Critical Patch Update. Previously, the updates were released three times yearly as a standalone distribution.
Despite the reforms, Java still needs to take a more advanced approach to sandboxing as Adobe and Google do, Moore said. Both companies have implemented process-level sandboxing for Reader and Chrome, respectively.
“The direction most of these vendors have been [going toward] is the process-level technology,” Moore said.
"If someone is able to exploit Java Runtime, they are able to get all the privileges that the user has. As soon as their applet is compromised, it exposes the entire system that it is running in."
John Hawes, a researcher at Sophos, said in a blog post new security functionality was nice to see, but it's come “too late,” and users should consider disabling Java in the browser.
“It's taken too long to get this far though, and things are still moving far too slowly,” Hawes wrote.
Java has been plagued by vulnerabilities and active exploits in recent years, making the software a top enterprise threat.
Recently, attackers targeted Java users by duping them into running a malicious Java applet that was signed with a stolen digital certificate. The stolen cert was designed to look like a "Java ClearWeb Security Update."