Oracle says Java security, communications improvements in pipeline

Oracle has admitted it has maintained "relative silence" on security problems in Java after a spate of vulnerabilities and exploits were made public.

In recent weeks Java zero-day vulnerabilities have been widley reported along with another unpatched flaw said to be trading for $5000 on underground crime forums.

In a recent recording of a conference call, Milton Smith, security lead for Java, said that the priorities were "to get Java fixed up and to communicate our efforts widely".

“We really cannot have one without the other, no amount of talking or smoothing over is going to make anyone happy or do anything for us," Smith said

“We have to fix Java, and we have been doing that, and there are some things that are visible to the public as far as the number of changes and CPUs, as well as some security changes we added. A lot of the things that we are looking into are in relation to Java in the browser, as that is where we have seen most of the weaknesses.”

“It is often frustrating for us to get a message out, so after we hit all the approvals, often understanding how to get a message out is challenging,” he said.

nCircle security operations director Andrew Storms said Oracle's public admission was a step forward.

"It's good to finally see Oracle acknowledge the seriousness of the situation. Unfortunately, we needed this admission a year ago before its customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb."

“The content in the Java security discussion was pretty lacklustre. You've got to wonder what role the Oracle press team has had in the company's response to all the security criticism they've had lately. I felt bad for the people representing Oracle on this call because they didn't sound well prepared. They didn't sound like they have a clear idea of what to do, what to say or even exactly who they were speaking to.”

This article originally appeared at scmagazineuk.com