How Attackers Exploit People to Circumvent Cyber... » LONDON, UK: Proofpoint, Inc. has released the results of its annual study that details the ways atta... Check Point and FireEye announce new partnership t... » San Francisco, CA: Check Point Software Technologies Ltd and FireEye have announced a partnership to... gateprotect offers companies high security encod... » Hamburg: gateprotect GmbH, a German IT security specialist and subsidiary of the Rohde & Schwarz cor... BeyondTrust Solution for Privileged Account Manage... » PHOENIX: BeyondTrust has announced that the company’s PowerBroker for Windows has been selected as a... The end of Goodluck and the beginning of the Buhar... » Against all odds, the 2015 Presidential election initially billed for February 14, but rescheduled t... Thales announces integration of nShield with Citr... » San Francisco, CA and Plantation, Fla.:  Thales has announce the integration of its nShield hardware... Thales wins with customer Qube Cinema 2015 InfoSec... » Thales has won the silver award for Best Deployment and Case Study in InfoSecurity Products Guide Gl... Wick Hill now shipping Barracuda Mobile Device Man... » Woking, Surrey: Wick Hill is now shipping Barracuda’s Mobile Device Manager (MDM) solution with supp... Databarracks recognised in Gartner's Magic Quadran... » London: Databarracks has been recognised in Gartner’s Magic Quadrant for Disaster Recovery as a Serv... Campaigners draw up battle lines to boost power... » Gate safety campaigners are once again mounting a high profile drive to raise awareness of the safet...


Viewpoints Header

In response to the news that Oracle has carried out an emergency security update on Java, Lamar Bailey, Director of Security Research and Development at nCircle has the following comments:


Here we go yet again. 2013 has seen a surge of critical vulnerabilities in IE, Java and Ruby on Rails. Attackers are targeting cross platform applications to try to obtain access to as many systems as possible using as few exploits as possible.

Oracle has taken a beating this year on Java. It is good to see they are fixing critical vulnerabilities in a code base they want to quit updating but it is past time for them to get serious and do a deep dive on Java to fix the security issues.

I have always thought Oracle did a good job of securing their products but I am losing some of my faith in them with the rash of Java vulnerabilities. I hope these security problems are not found in their other products. My advice to end users is to remove Java from your system and only install it when is needed to access a business critical application, then if possible run Java in a VM or an isolated environment. This is easier said than done as my Windows box had no less that 4 Java versions with various updates. I hope Oracle will assign a team of their best security engineers to Java to squash any of the remaining security issues. Until then many users will be updating Java as often as they update AV signatures.