"It's difficult to say what has been going on internally at Oracle for the past years, but based on an external impression I feel they could have reacted sooner," said Carsten Eiram, chief research officer at consulting firm Risk Based Security, via email. "I'm not sure Oracle really took the predictions of Java being the next major target seriously."
It's unlikely Oracle could have prevented the recent attacks, he said, but it would be in a better position if it had acted sooner to secure its code and add more layers of security.
"I think the current state of Java security is due to the fact that Sun pushed Java very strongly when they still owned it," said Costin Raiu, director of the global research and analysis team at Kaspersky Lab, via email. "After Oracle purchased Java, perhaps little interest went into this project."
Oracle acquired Java when it bought Sun Microsystems in 2010. The software is installed on 1.1 billion desktop computers worldwide, according to information at Java.com. Its widespread deployment and cross-platform nature make it an attractive target for hackers. Researchers at Security Explorations, a Polish vulnerability research firm, have found and reported 55 vulnerabilities in the Java runtimes maintained by Oracle, IBM, and Apple over the past year, 36 of them in Oracle's version.
"In April 2012, we reported 30 security issues to Oracle affecting Java SE 7," Adam Gowdiak, Security Explorations' founder, said via email. "This was around the same time the Flashback Mac OS trojan was found in the wild. Both should have worked as a wake up call for Oracle."
Kaspersky Lab has reported that at any given time last year, one in three users was running a version of Java that was vulnerable to one of five major exploits being used by hackers. At peak times, more than 60 percent of users had a vulnerable Java version installed.
Providing a silent, automatic update mechanism like that found in Chrome, Flash Player, Adobe Reader, and other software might be helpful to consumers, Eiram said. However, businesses will probably disable such features, he said.
Starting with Java 7 Update 10, released in December, Oracle has provided new options in the Java control panel that allow users to disable the Java plug-in from browsers or force Java to ask for confirmation before Java applets execute. Since Java 7 Update 11, the default setting for this mechanism has been set to high, preventing unsigned Java applets from running automatically without user confirmation.
"I believe the new security features in Java show that Oracle is moving in the right direction," said Wolfgang Kandek, CTO of Qualys, which sells vulnerability management and policy compliance products. Making Java even more configurable would help IT administrators to deploy it in a manner that meets the requirements of their organizations.
"I would welcome white-listing capabilities in Java, i.e., prohibiting all but approved sites to use the applet mechanism," Kandek said. "At the same time, central management of the Java configuration capabilities, i.e., via Windows GPO [Group Policy], should be improved."
Kandek believes Oracle faces a bigger challenge in hardening Java against attacks than other software companies did with their own products. "Java is a complete programming language and needs to be able to perform the full gamut of actions ... including low-level operating system tasks."
That said, Eiram and Gowdiak both said Oracle needs to improve the quality of its Java code from a security perspective, because right now it's relatively easy to find vulnerabilities.