Oracle realizing that Java engine security is broken

Oracle is not a company I’m fond of.  I dislike its business practices immensely and its security stance has historically been very much a reactive one.  I realize that they have immensely complex products, but when quarterly patches regularly cover dozens of security fixes, it’s time to start wondering how seriously they take security.

Over the last couple of weeks, though, two things have happened that give me some hope that a new direction is coming.  They don’t yet cause me to change my recommendation that Java should be removed where feasible and secured where it must be present, but it’s a good change nevertheless.

Continue reading “Oracle realizing that Java engine security is broken”

Facepalm: Microsoft (sort of) sends patches via e-mail

In general, I think most companies are doing better in security than before.  They at least are admitting that they have to pay attention to it, and Microsoft has made huge changes in its programming and business practices that have made it far more difficult to break into systems than it used to be.  But there’s still room for improvement, and it’s a change that needs to happen sooner rather than later because it’s undermining a key aspect of user security awareness.

Continue reading “Facepalm: Microsoft (sort of) sends patches via e-mail”