Oracle is not a company I’m fond of. I dislike its business practices immensely and its security stance has historically been very much a reactive one. I realize that they have immensely complex products, but when quarterly patches regularly cover dozens of security fixes, it’s time to start wondering how seriously they take security.
Over the last couple of weeks, though, two things have happened that give me some hope that a new direction is coming. They don’t yet cause me to change my recommendation that Java should be removed where feasible and secured where it must be present, but it’s a good change nevertheless.
That said, they seem to be realizing that something has to change, and if they follow through, I’ll give them credit for it. Over the last couple of years, Oracle has taken a beating in the press over the enormous number of flaws found in its Java Runtime Engine (JRE). The company has issued numerous updates; many of them have been emergency fixes to address problems that were (and still are) being actively exploited.
In the shorter term, even though Java 6 support was to end in February, Oracle released Java 6 Update 45 side-by-side with Java 7 Update 21 in the middle of this month. They did this to address widespread attacks against the still widely-installed Java 6. Oracle made the right decision here to release two months after support officially ended, and I won’t be surprised if they do it again maybe one more time. (I also won’t be surprised if Microsoft chooses to do the same thing with Windows XP next year should something major come along.)
For the longer term, Oracle announced a delay in the release of Java 8. Originally planned for a release in September 2013, it has been pushed back to sometime in the first quarter of 2014. This allows them to keep a promised feature for developers (taking advantage of more than one processor core in a device) while still (they hope) tackling security issues in the entire JRE architecture. Java 9’s schedule was also delayed to give time to improve security.
When Oracle’s products largely hid in the cores of their customers’ networks, they didn’t have to face much public backlash when releasing patches like that. When they bought Sun Microsystems and acquired Java, they took on a new public face that I don’t think they fully understood. Java technology is in more than a billion devices worldwide from servers to desktop computers to handheld–and smaller–devices. This brings about a responsibility that finally they appear to be understanding and engaging.