Oracle Java patch problem? Browsium rolls management fix
Locked down and white-listed
Released in 1995, Java went from a language running in a browser to the ubiquitous platform of today, one which underpins the entire industry and with deep tentacles in enterprise IT.
After more than 20 years, Java remains one of the world’s most popular programming languages and employed by nine million devs.
Java runs on 97 per cent of PCs in the enterprise and 89 per cent of US desktops and, somehow, three billion mobile phones. There’s no count on servers but it is huge thanks to the tireless work over the years in tools and middleware of IBM, Oracle and the deceased BEA Systems and Sun Microsystems.
Yet with ubiquity and history has come risk, and Java now dances with Adobe’s Flash to get ahead in terms of number of vulnerability warnings and fixes.
Oracle has released three scheduled quarterly patches for Java this year, at the same time as patches for other products. July saw 13 vulnerabilities in SE.
However, there has also been unscheduled fixes – a scheduled release in January that saw eight fixes January was immediately followed in February with an emergency patch.
Gary Schare, Browsium president, reckons that the pace is too much for enterprise, which must downloaded fixes that are then tested and rolled out and managed. This being the enterprise, things take longer than the Oracle three-month release window, so things can back up.
“It’s great they [Oracle] are making progress, but the sad part is that most enterprises can’t keep up because it’s going to fast or it will break their regression testing,” Schare told The Reg.
“Java is like Flash in that it has a lot of security vulnerabilities. Oracle updates every 45 days but that was too much for most enterprises to keep up with.
Now, Share’s firm, Browsium, is stepping in to help big IT shops manage what’s becoming a Flash-scale problem.
Browsium, whose software made its name helping businesses manage legacy versions of Internet Explorer on new releases of Windows without needing to recode their apps, is giving IT pros the option to lock down and run Java on their own terms.
Ion 4.0, released with updates to Browsium’s Proton, and Catalyst will let IT managers block Java everywhere and then slowly enable it for whitelisted sites.
Working as a suite, Proton will sniff out where you have Java installed and when it has been invoked by an application, process or user.
Further, Catalyst will re-direct Java away from Chrome, which no longer works with Java, so Google’s browser won’t disable an application being run.
According to Schare, the world’s attention might have moved towards HTML5 for server and web, but deep in the enterprise and in different departments Java is dug in and Browsium is offering tools to manage that legacy.
“Java has been prevalent in the enterprise for years,” Schare said. “People believed they’d move from Java to HML5 but the pace of change for line-of-business apps in the enterprise is very slow.” ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust