Oracle: We're getting Java security under control

Most problems date back more than a decade and resulted from old versions of Java being run, a company official insists

The impression persists that Java is still plagued with security problems after more than a year of issues popping up, but Oracle wants to assure the public that things actually have gotten much better lately.

Officials of the company said Monday at the JavaOne technical conference in San Francisco that Java security had been neglected years ago and the nature of software makes software subject to security issues. But Oracle is addressing the problems and has made it easier to upgrade to the newest, safer versions of Java and get security patches, they said.

Most of the security issues actually date back more than a decade, said Cameron Purdy, Oracle vice president of cloud applications and Java EE (Enterprise Edition). Oracle only became the steward of Java early in 2010, when it acquired Java founder Sun Microsystems.

"The perception is that these are new issues. Most of these are problems with JDK [Java Development Kit] 1.4 and earlier," Purdy said. "And our goal is that there will be no, zero, absolutely none, no security vulnerabilities in Java." JDK 1.4 was released in February 2002, according to Wikipedia.

"When we acquired Sun Microsystems, Sun was not in a position to fully fund the security team. We began rebuilding that. It did take time," Purdy said. Oracle, however, did not rebuild the team fast enough, he added.

One issue that causes security problems is users running an older version of Java, noted Nandini Ramani, Oracle vice president of Java development. "Ultimately, people have to update."

A JavaOne attendee said Oracle was on the right track with securing Java. "I think they've made great progress in the last year, that's for sure," said Martin Moran, a tech lead and developer at The Vanguard Group financial services firm. Moran said his business has not been impacted by Java's security problems.

Oracle has been conducting a security track -- a grouping of sessions related to security -- at the conference. The company has taken a number of steps recently to address security issues, particularly defending against malicious applets, said Milton Smith, Oracle senior principal security product manager. "We are concerned about all security vulnerabilities and things like that but we are calling out applets [explicitly]," Smith said.

The company has been remediating vulnerabilities, issuing critical patch updates, and enabling users to disable Java in browsers, where security has been a thorn in the side. Oracle is also promoting deprecation of self-signed and unsigned applets and enabling setting of plug-in security levels.

This story, "Oracle: We're getting Java security under control," was originally published at

Copyright © 2013 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!