It's a great first step, but right now the level of knowledge required to create and deploy the rule sets limit the feature's use to well-structured IT departments with good control over their systems, said Wolfgang Kandek, the CTO of vulnerability management firm Qualys. However, for an experienced system administrator deploying it should not be a problem, he said.
The feature is for managed environments, Kandek said. Home users should always upgrade to the latest version of Java, but if you are a system administrator and you need to maintain older versions of Java, then this might be an option, he said.
It's a great mechanism for whitelisting Java Web applications, because it's browser independent, Kandek said. Until now, companies had to use different methods for different browsers in order to do this, he said.
The functionality needs to be refined as far as management goes, but Qualys' customers who were asked about it expressed their interest in it, Kandek said. One of those companies runs an older Java version on around 2,000 of its 12,000 machines and is worried about employees visiting malicious websites that would try to exploit that, he said.
Kandek believes that the new feature is one of several signs that things are moving in the right direction at Oracle, security wise. However, other researchers feel that Oracle should do more to fix Java's security issues at the code level.
It's easier to eliminate the Java plug-in as an attack vector through various GUI (graphical user interface) and policy-based "security enhancements" than to clean up the code and re-architect the platform to strengthen its security stance, Adam Gowdiak, the founder of Polish vulnerability research firm Security Explorations, said via email.
Gowdiak and his company have found many critical vulnerabilities in Java during the past two years.
When it comes to browser-based attack scenarios, this new feature should help reduce the risk associated with executing malicious Java code from untrusted sources, Gowdiak said, adding that he expects many companies to give it a try. It's difficult to predict an actual adoption rate though and available data on Java updates in enterprise environments does not paint an optimistic picture, he said.