Oracle Speaks up on Java Security

As many of you are keenly aware, there has been a veritable media firestorm around the recent Java vulnerability. As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or emdedded Java. You may also have been frustrated with Oracle's relative silence on the issue.

Hopefully it comes as some relief that Oracle is now starting to openly speak up on the issue. The lead for Oracle Security Martin Smith and Doland Smith from the OpenJDK team very recently had a conference call with worlwide JUG leaders. The recordings of the meeting is available here. This was a frank two-way discussion with Java community leaders about Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage in some venues. As Donald and Martin indicate on the call, we can expect this to be the tip of the iceberg of what will be done on the Java Security and communication fronts.

You are encouraged to participate in this crucial dialog and provide your feedback.

John Spragge offers his opinions on these very issues in his intelligent, insightful blog post: A passionate defence of Java's virtues. It is well worth a read if you are a fan of GlassFish, Java EE or Java.

Comments:

The best thing you can do about Java security? Release update catalogues so enterprises who have invested time and money into Microsoft System Centre Configuration Manager can patch Java RE and EE utilising existing infrastructure.

Adobe do this for Flash and Reader and you should follow suit, and quickly.

Posted by Mark Scott on January 30, 2013 at 02:33 PM PST #

Thanks for the thoughtful suggestion. I'll try my best to pass it on.

Posted by Reza Rahman on January 30, 2013 at 02:38 PM PST #

Is it that we should disable java and keep it disabled? When is the fix even likely to appear?

Posted by Java concern on February 09, 2013 at 07:39 PM PST #

I am as much in the dark about this as you are as to what the official Oracle recommendation is. This blog: https://blogs.oracle.com/security/ is supposed to be the definitive source on such things but I'm not sure it actually addresses any of these questions (it just reads like release notes to me).

The only thing out there that I know of is Cameron's purely personal suggestions: http://www.infoq.com/news/2013/01/jdk6-retirement (look at the discussion thread). Given what I know personally so far, I think Cameron's suggestions are on the money.

Sorry I can't give you a clearer answer. We can all hope one will be forthcoming soon...

Posted by Reza Rahman on February 10, 2013 at 11:44 AM PST #

Im seconding that request! Get us a SCUP catalog and fast! Help us secure our enterprise!

http://technet.microsoft.com/en-us/systemcenter/bb741049.aspx

Posted by Steven on February 22, 2013 at 07:53 AM PST #

Just so you are aware, I have already passed on this bit of feedback. The options are being carefully weighed as Milton and Doland promised.

Posted by Reza Rahman on February 22, 2013 at 07:57 AM PST #

Very interesting thank you very much good work

Posted by Agence web on March 27, 2013 at 11:46 AM PDT #

Post a Comment:
Comments are closed for this entry.