Java vulnerabilities and zero day exploits are very common these days. It has take to the extend that security experts start recommending disabling the Java whenever possible.
Now Java has come up with the option for whitelisting so that you can run Java in a safer condition in your corporate environments. This action from Oracle could gain some confidence in Java. Checkout the details here
“The reason people are recommending that Java be removed is because they have very low confidence that Oracle is going to change their approach to security,” said Chet Wisniewski, senior security advisor at Sophos.
Java exploits are available in the Internet undergrounds. BlackHole exploit kit is such a crimeware (read more about it at Krebs). The biggest challenge for corporates is that their inability to upgrade the Java virtual machine due to the compatibility issues which increases the risk at organizations.
A recent study by security firm Bit9 showed that over 80 percent of Java-enabled enterprise computers run Java 6, with the most widely deployed version being Java 6 Update 20.
Now Oracle added a feature in Java that lets companies control what specific Java applets are allowed to run on their endpoint computers, which could help them better manage Java security risks. The new feature is called the “Deployment Rule Set” and was added in Java 7 Update 40 (Java 7u40) that was released Tuesday.
Deployment Rule Set helps administrators fine-grained control over the execution of applets by allowing them to create an XML file with rules for how known applets should be handled by the Java plug-in. The rule set works just like a Firewall rule set. Rules added to the XML file are tested sequentially, so they can be used to create a white list and then add a general rule at the end of the file to block all applications that don’t match the first rules.
The rule set file needs to be digitally signed with a digital certificate issued by a trusted certificate authority, packaged as a Java archive (JAR) and placed in a specific directory inside the Java installation on all computers where those rules are to be applied.
Can this new change help Oracle gain the confidence of the customers? What are the challenges anticipated in implementing these changes?