04 Jun 2013

Oracle Reworks Security Model for Upcoming Java Releases

Oracle-sponsored Java has had a rough patch this year as zero-day exploits kept pouring in and cyber-crooks rushed to monetize their bugs. But things are apparently looking less gloomy for the upcoming releases of Java, which will bring major changes in the way applets are treated within the browser, among others.

According to a lengthy poston the Oracle blog, the company is working on a new security model that will not allow signed applets to execute code outside of the sandbox and prevent incidents involving signed, yet rogue Java code. This measure is also complemented with instant verification for the revocation status of each certificate, making an attack impossible after it has been detected.

„Oracle is making improvements to standardized revocation services to enable them by default in a future release.  In the interim, we have improved our static blacklisting to a dynamic blacklisting mechanism including daily updates for both blacklisted jar files and certificates,” wrote Nandini Ramani, VP of Development at Oracle.

Additionally, Oracle promises a quarterly patch release, as well as out-of-band security fixes that will be delivered whenever a zero-day exploit makes it in the wild.