Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of ...

Oracle will retire the Java browser plug-in, frequently the target of Web-based exploits, about a year from now. Remnants, however, will likely linger long after that. “Oracle plans to deprecate the ...

My ZDNet colleague Ed Bott has exposed some icky practices at Oracle regarding their monetization of the end-user JRE install. Here's a better Java option for you to check out and some ...

Newer versions of Java now require all JAR files to be signed with a valid code-signing key, and starting with Java 7 Update 51, unsigned or self-signed applications are blocked from running.

The three flaws affect Java deployments that load and run untrusted code, such as clients running sandboxed Java Web Start applications or sandboxed Java applet, Oracle said in its advisory.

Two of the critical flaws, in Java’s 2D component (CVE-2016-0494) and in Java’s AWT (CVE-2015-8126), can only be exploited through sandboxed Java Web Start applications and Java applets.

The vulnerability "can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets," according to Oracle's Java SE Critical Patch Update Advisory in June.