Java became somewhat of a punching bag in the security researcher community earlier this year after numerous vulnerabilities were found in the software. After what must have been an embarrassing few months, Oracle announced in June that it would make Java security a priority going forward. So, how’s that working out for them?
InfoWorld reports that Oracle officials spoke on Java security in late September at the JavaOne technical conference in San Francisco. They said that the main problem with Java security is that most of the vulnerabilities existed long before Oracle purchased Sun Microsystems, and that they’re having to go back and fix decade old problems. It also didn’t help that Java, when under the care of Sun, didn’t receive the kind of security support or funding that Oracle is now pumping into it.
Of course, the blame can’t fall all on Sun. Oracle’s Vice President of Cloud Applications and Java EE, Cameron Purdy, said that some of the blame falls on Oracle for not building a Java security team fast enough after his company acquired Java in 2010.
Sun and Oracle may have made some mistakes in keeping Java secure, but the blame for poor Java security ultimately falls on users. Oracle notes that it’s putting out security updates, but it’s up to the user to update to the latest version of Java. If they don’t upgrade, it’s not Oracle’s fault if a hacker uses an exploit to take over their machine.
With its renewed focus on security, Oracle seems to have gained the favor of developers. One such developer told InfoWorld that Oracle had made a lot of progress over the past year in the field. That progress came in the form of Oracle announcing that it would put out four annual security fixes for Java instead of three. It will also work to release emergency updates whenever a zero-day exploit rears its ugly head.