Monday, May 28, 2012

Oracle slammed for outdated approach to Java security

Oracle Openworld
Oracle has fallen dangerously behind the times with the security policies and practices it utilises on its Java platform, according to one of Kaspersky Lab's top researchers.
Roel Schouwenberg, a senior antivirus researcher with the Kaspersky Lab global research and analysis team told V3 that Oracle has not kept pace with the security advances made by other companies in recent years.
"You can see that Microsoft has gone to sandboxing for Office, Adobe has gone that way, Google has gone that way with Chrome," Schouwenberg noted.
"When you look at what Oracle has done, the sad reality is nothing. And I have to ask why we are letting Oracle get away with this?"
According to figures from Kaspersky, Java remains a top target for malware writers and cyber criminals. Along with Adobe Reader and Flash, Java vulnerabilities are the most popular for online exploits which lead to malware infections.
Adobe has extended the security protections on Reader and Flash. Oracle however has only recently installed basic security measures, says Schouwenberg.
"Two years ago I would have been slamming Adobe for its security," the researcher said.
"Adobe still makes its mistakes, but with Oracle we don't see anything that they are doing to change something."
Oracle did not respond to a request for comment on the matter.
While the Java maker was singled out for its practices, Oracle is far from the only vendor Schouwenberg sees ignoring security issues.
He noted that Google's loose oversight of its Play market has left Android devices vulnerable to malware, while Apple continues to ignore major security risks on the OS X platform in the wake of the Flashback malware outbreak.
Throughout the entire market, Schouwenberg sees the need for better security response time and policies should vendors wish to protect users from malware.
"Any program that can be directly accessed from a web browser should be checking for updates every other day, reasonably, and definitely not less than once a week," he said.
"A broken update system is an issue for a lot of programs still, even Adobe is still struggling on that a bit."

No comments:

Post a Comment