Oracle admits to security problems with Java in browsers

Insists Java is fine with servers, mobile devices

Oracle has finally admitted to security issues with its Java web browser plug-ins, acknowledging in a blog post late last week that users may have been "frustrated with Oracle's relative silence on the issue." The widely deployed platform has been hit recently with a rapid-fire string of security flaws that has resulted in calls from various security vendors for companies to uninstall Java for browsers.

Even the United States Department of Homeland Security had warned that despite recent patches, Java remains a weak target in browsers. It offered instructions on how to disable Java in web browsers. According to The Register, Metasploit founder HD Moore warned that Oracle is "still sitting on a backlog of Java flaws that will take up to two years to patch."

Oracle (NASDAQ: ORCL) has uploaded a recording of a conference call (mp3) between the Java User Group with Milton Smith, head of security for Java at Oracle, and Doland Smith, from the OpenJDK. In the recording, Smith pledged to "get Java fixed up," and said he is hoping to better communicate its efforts on this front. He also pointed out that non-browser deployments of Java, such as on servers and embedded devices, are immune to the recent attacks.

The discussion did little to convince security experts who are skeptical of Oracle's sincerity in addressing the problem. Oracle has been accused of being "difficult, unresponsive and occasionally combative."

"Oracle needs to take a leaf out of Microsoft's book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs," The Register article said.

For more:
- check out this article at The Register

Related Articles:
Yet another Java flaw surfaces
Vulnerability allows Java Control Panel settings to be bypassed