Oracle计划进行更改以加强Java的安全性,包括修复其证书撤销检查功能,防止默认情况下执行未签名的小程序并将集中管理选项添加具有企业环境的白名单功能。
这些变化以及其他与安全相关的工作旨在“降低桌面环境中的潜在Java漏洞的可利用性和严重性,并为服务器环境中的Java提供额外的安全保护,”工程副总裁Nandini Ramani说对于Oracle的Java客户端和移动平台,在a中blog poston Thursday.
[ 背景:保护Java的7个步骤]
ramani的博客文章讨论了“Java的安全性”,间接地解决了今年的安全研究人员提出的一些批评和担忧,这是一系列成功和广泛的攻击,这些攻击零点 - 以前没有被淘汰的漏洞 - 漏洞Java浏览器插件危及计算机。
Ramani reiterated Oracle's plans to accelerate the Java patching schedule starting from October, aligning it with the patching schedule for the company's other products, and revealed some of the company's efforts to perform Java security code reviews.
“Java开发团队扩展了自动安全测试工具的使用,促进了众所周知的Java平台代码的覆盖范围,”她说。该团队与Oracle的源代码分析服务提供商合作,使这些工具在Java环境中更加有效,并且还开发出所谓的“模糊”分析工具,以杂草出一些类型的漏洞。
The apparent lack of proper source code security reviews and quality assurance testing for Java 7 was安全研究人员带来的批评之一鉴于平台中发现的大量关键漏洞。
Ramani还注意到了java applets的新安全级别和警告 - 基于Web的Java应用程序 - 介绍Java 7 Update 10andJava 7 Update 21分别。
她说,这些变化是为了阻止执行无符号或自签名小足的执行。“在不久的将来,默认情况下,Java将不再允许执行自签名或无符号代码。”
考虑到大多数Java漏洞作为无符号Java小程序提供了大多数Java Exploit,此类默认行为从安全性的角度来看。但是,已经存在数字签名Java漏洞使用在过去,安全研究人员期望他们的数量增加。
因为这是很重要的Java客户机to be able to check in real time the validity of digital certificates that were used to sign applets. At the moment Java supports certificate revocation checking through both certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP), but this feature is disabled by default.
"The feature is not enabled by default because of a potential negative performance impact," Ramani said. "Oracle is making improvements to standardized revocation services to enable them by default in a future release."
The company is also working on adding centrally managed whitelisting capabilities to Java, which will help businesses control what websites are allowed to execute Java applets inside browsers running on their computers.
Unlike most home users, many organizations can't afford to disable the Java browser plug-in because they need it to access Web-based business-critical applications created in Java.
“本地安全策略功能很快将添加到Java,并且系统管理员将在Java安装和部署Java的组织中进行额外的控制安全策略设置,”Ramani表示。"The policy feature will, for example, allow system administrators to restrict execution of Java applets to those found on specific hosts (e.g., corporate server assets, partners, etc.) and thus reduce the risk of malware infection resulting from desktops accessing unauthorized and malicious hosts."
Even though the recent Java security issues have generally only impacted Java running inside browsers, the public coverage of them has also caused concern among organizations that use Java on servers, Ramani said.
因此,该公司已经开始将Java客户端从服务器发行版分开,并为Java 7更新21的服务器JRE(Java Runtime环境)的版本不包含浏览器插件。
“在未来,Oracle将探讨更强大的措施,以进一步减少攻击表面,包括删除某些库通常不必用于服务器操作,”Ramani表示。然而,这些变化可能会在未来的Java中出现java,因为现在介绍它们会违反当前的Java规范。