After silence on Java flaws, Oracle now says it cares

A sudden outreach effort promises to fix Java and communicate better about future security issues

Oracle wants to you to know it is on the job when it comes to Java security. Two weeks after the U.S. government told users to disable Java in their browsers (and Apple did so automatically for Mac users) because of serious security flaws, the company is now reaching out to developers and users about this embarrassing problem.

In recent blog posts and during a conference with JUG (Java User Group) leaders on Friday, Oracle has tried to convey the message that it cares about Java security. "Hopefully it comes as some relief that Oracle is now starting to openly speak up on the issue," says Oracle blogger Reza Rahman.

"The plan for Java security is really simple: It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely," Oracle security lead Milton Smith said. "No amount of talking or smoothing over is going to make anybody happy or do anything for us -- we have to fix Java, and we have been doing that."

Smith also noted recent improvements, such as a security slider on the Java control panel and the addition of a capability for disabling Java applets. Further efforts might include having automatic updates for Java when a new release is issued, similar to how Firefox automatically updates desktops with its latest browser. But Smith was not sure this was advisable because updates might conflict with some applications; many applications are highly sensitive to the version of Java installed, an issue that can bedevil system administrators when different apps require different Java versions.

Oracle says it might issue more press releases on Java security issues and add a security track at the next JavaOne conference.

When Oracle bought Sun Microsystems in 2010, Sun's prized Java technology was viewed as perhaps the crown jewel of the purchase. Now, three years later, Oracle has the unfortunate task of mending the various security holes in the client version of the platform, with the browser client serving as the weakest spot.

In many ways, Java is the victim of its own success: Its ubiquity makes it a handy target for bad actors. But that's what happens when you build or buy a near-universally deployed platform (just ask Microsoft). Oracle is going to continue to have its hands full patching newfound security holes and preventing new ones.

When Oracle bought Sun, there were many questions about how good Oracle would be for Java. Three years on, we're left wondering how good Java is for Oracle. These days, it seems like a real big headache.

This story, "After silence on Java flaws, Oracle now says it cares," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform