Skip to comments.Oracle: 'We Have to Fix Java'
Posted on 01/29/2013 7:04:53 AM PST by ShadowAce
Over the course of the last two years, Oracle's Java has been exploited time and again as hackers eviscerate the technology, seemingly at will.
As each exploit emerges against Java, Oracle typically responds within a short period of time with a security update, only to have the update exploited within days. While Oracle has pledged with its successive releases that it is improving Java security, the company has not publicly spoken out about the string of exploitation that has crippled confidence in Java in recent months. That is until now.
"As many of you are keenly aware, there has been a veritable media firestorm around the recent Java vulnerability," Reza Rahman, Java EE evangelist at Oracle, blogged. " As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or emdedded Java. You may also have been frustrated with Oracle's relative silence on the issue."
Oracle's most recent Java patch was issued in early January. The Java 7 update 11 (7u11) release was triggered by zero day attacks against Java. 7u11 followed the 7u10 update by less than a month. Both 7u10 and 7u11 were intended to make Java more secure through the use of a new security control. 7u10 was exploited, and now the 7u11 update has been publicly reported to be at risk as well.
In a call made publicly available by Oracle, the leaders of the Java development group took up the issue of what's wrong with Java today.
"We have to fix Java, and we have been doing that," Oracle Java security lead Milton Smith said during the call.
Smith highlighted the new security slider that debuted in the 7u10 release as being a positive step forward. He also identified the core focus for his team's security efforts.
"A lot of the things we're looking at focus on Java in the browser," Smith said. "That's where we have seen most of the weakness with Java, and that is the concern we are targeting."
While Smith aimed to strike a positive tone about the future direction of Java security, those in the security research community are not as optimistic. HD Moore, CSO of Rapid7 and chief architect of the Metasploit framework, told eSecurity Planet that in his view Smith did not inspire any confidence that Oracle was on the right track or applying the right resources to the problem.
Smith made a number of excuses during the call, including noting that the Java security group is small, that it is difficult to get the message out and that Smith himself is still a little new to the role, Moore pointed out. "It didn't sound like Oracle was providing much support for this team, lead alone bringing in experts on SDLC or security response."
While few actual tangible fixes were discussed during the Java security call, Smith repeatedly highlighted the Java 7u10 update which provided improved controls and a Java security slider.
"Unfortunately all of these features had little impact on the most recent zero-day exploit, which had to be fixed by 7u11," Moore said.
Moore labeled Oracle's recent Java security issues a "communications problem" and said users were not aware of the new features.
"In general, no tangible answers were provided to any of the key questions," Moore said. "The discussion around auto-updates went around for a bit and finally ended up with a discussion of whether it would fit into a Java 8 or Java 9 release."
Andrew Storms, director of security operations for nCircle, echoed Moore's lack of excitement about Oracle's Java security plans. Storms described the Java security discussion as pretty lackluster.
"It's good to finally see Oracle acknowledge that they have a seriousness of the situation," Storms said. "Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb."
I believe that allowing the use of reflection in Java was an unwise decision. It gives programmers tremendous power, but these classes and methods are much too dangerous in the hands of malicious programmers. At the very least, I would disable the reflection classes and methods in an applet context.
I no longer program for a living—can you explain what a reflection class is? I think I know, based on the name alone, but would appreciate an explanation.
A little cut’n’paste:
Uses of Reflection
Reflection is commonly used by programs which require the ability to examine or modify the runtime behavior of applications running in the Java virtual machine. This is a relatively advanced feature and should be used only by developers who have a strong grasp of the fundamentals of the language. With that caveat in mind, reflection is a powerful technique and can enable applications to perform operations which would otherwise be impossible.
An application may make use of external, user-defined classes by creating instances of extensibility objects using their fully-qualified names.
Class Browsers and Visual Development Environments
A class browser needs to be able to enumerate the members of classes. Visual development environments can benefit from making use of type information available in reflection to aid the developer in writing correct code.
Debuggers and Test Tools
Debuggers need to be able to examine private members on classes. Test harnesses can make use of reflection to systematically call a discoverable set APIs defined on a class, to insure a high level of code coverage in a test suite.
Drawbacks of Reflection
Reflection is powerful, but should not be used indiscriminately. If it is possible to perform an operation without using reflection, then it is preferable to avoid using it. The following concerns should be kept in mind when accessing code via reflection.
Because reflection involves types that are dynamically resolved, certain Java virtual machine optimizations can not be performed. Consequently, reflective operations have slower performance than their non-reflective counterparts, and should be avoided in sections of code which are called frequently in performance-sensitive applications.
Reflection requires a runtime permission which may not be present when running under a security manager. This is in an important consideration for code which has to run in a restricted security context, such as in an Applet.
Exposure of Internals
Since reflection allows code to perform operations that would be illegal in non-reflective code, such as accessing private fields and methods, the use of reflection can result in unexpected side-effects, which may render code dysfunctional and may destroy portability. Reflective code breaks abstractions and therefore may change behavior with upgrades of the platform.
Take a desk you want to work on and clear what you need to do that work
If you learn you need more space after doing what you've done so far, you take that phase of the projecrt off the desk (clearing the space again), go to the shelf you need to get the materiels you need to perform phase two and sit down to work on a clear desk.
THAT works for me (if it's correct)
Can you simplify what you just said for us non techies ?
Basically, reflection allows self-modifying code.
All these security exploits have used reflection in sneaky ways to get access to classes and data they’re not supposed to have access to.
I work a lot with server-side Java, but there is NO WAY I would advocate using Java in the browser.
Yes, and I hope they do it soon. I am tired of Retina crapping all over it.
We use it internally here. We use HP servers with ILO licensed, and we access the ILO with JVM or .NET.
But ... what is reflection ?
Perhaps an analogy will help.
Scenario: Pointy-Headed Boss (PHB) says to Dilbert: “I need an employee to do ImpossibleTask. And no, you may not hire a new employee from outside.” Dilbert frantically searches the list of employees that he manages for one with the capability of handling ImpossibleTask, and tells that employee to perform ImpossibleTask on PHB’s behalf.
Dilbert is the “reflection class” for PHB in this scenario. He can “see into” the capabilities of the employees that he manages and “reflect” those capabilities back to PHB.
PHB doesn’t (have to) know (or care) which employee actually performs ImpossibleTask, as long as Dilbert finds one that does.
In sum, a “reflection” class has the capability of inspecting the attributes (data) and behaviors (actions) of another class and providing that information to another class that requests it.
This is such a “Duh” headline. If Java is not locked down somehow for internet transmission and use, it will be relegated to the dustbin of history. People are now associating it with big trouble under all circumstances, despite it really having problems only when being downloaded by websites. It is too technical for most people to realize that Java programs that they have been using for years and are resident on their computers are not affected by the malware exploits.
Here is the problem with reflection:
Top management never wants to admit it’s wrong.
Besides, I don’t like Larry Ellison.
C# also uses Reflection.
So .. an outsider (hacker) can be called by dilbert or the hacker IS dilbert?
I was one of the earliest adopters of Java in the world outside of Sun Microsystems, amazed by the active content that could be added to a web page using the JVM. It saddens me that as of several years ago, I make exactly the same recommendation as above.
The best thing Oracle could do for the world would be to give away all the patents it has stolen/eaten to some open foundation, put down all its former empleyees - anyone with a molecule of the rank stink of Oracle on them, and then for the rest collective suicide.
Theoretically any system that uses pre-complied pseudo code that is executed by a virtual machine could allow reflection....
PHB’s PHB is the hacker in that scenario, I believe.
freeping on an xbox and no java or anything else useful
RAM is more-or-less right there, whereas hard drive data has to be found and transferred into RAM for work to be done.
I would echo that remark. Java has been hyped from the beginning as the language of the web when in fact it really is not. It is true that when it was first released, Java was leaps and bounds above C++ and some of the other options out there for web programming which at that time was fairly new. There are now other, better options, designed for programming the web and web browsers. Java is a great server-side language but not so good for the web and browsers.
Yes, C# uses reflection and reflection is a useful and valid tool.
Whether it is C# or Java, the use of reflection is only as secure as the knowledge and attention that the programmer or team that uses it gives to securing it as well as judicious use of the reflection class.
Oracle is not always all that good with its customer support anyway. They make it difficult to do the right things and frequently ignore that which does not pertain to their bottom line. When Oracle bought Java, there was a bit of discussion about how well they would support the syatem and keep it up to date. Any programming language application is only as secure as the knowledge and proficiency of the developer(s) who build it.
An outsider [think Catbert, the evil HR director of OtherBigCorp] can call upon Dilbert and use his reflection capabilities for OtherBigCorp's own purposes.
Seems like they need to turn off reflection, self-awareness which would then trigger or put the onus on developers of Java apps to rewrite their stuff in such a way that those features aren’t needed.
I have no idea or how hard that would be for the various owners of the various apps.
Maybe the reflection/self-awareness only gets turned off in the context of running in a web browser but can be enabled in other use cases.
Some things are best left to they that speak the language and understand the natives/customs
A bit harsh, but hey, that’s just me.
Basically, Oracle destroys everything it touches. It’s also a fount of corruption and scamming. Let it get its hands on a governemt contract and watch the money disappear while nothing of value gets delivered.
Sometimes I think a basic requirement for an Oracle executive is to have some experience of prison life, or as close as possible.
OK, sell it. :)
Well, all I do know is my ex is an exec there and he is
as upstanding as they come. Not sure about the rest of them!
The only role I see for java is server side where it outshines most every other webtech. It’s a dead-ender client side where HTML5+ has taken over.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.