Oracle: 'We Have to Fix Java'

eSecurity Planet ^ | 28 January 2013 | Sean Michael Kerner

[ShadowAce]

Over the course of the last two years, Oracle's Java has been exploited time and again as hackers eviscerate the technology, seemingly at will.

As each exploit emerges against Java, Oracle typically responds within a short period of time with a security update, only to have the update exploited within days. While Oracle has pledged with its successive releases that it is improving Java security, the company has not publicly spoken out about the string of exploitation that has crippled confidence in Java in recent months. That is until now.

"As many of you are keenly aware, there has been a veritable media firestorm around the recent Java vulnerability," Reza Rahman, Java EE evangelist at Oracle, blogged. " As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or emdedded Java. You may also have been frustrated with Oracle's relative silence on the issue."

Oracle's most recent Java patch was issued in early January. The Java 7 update 11 (7u11) release was triggered by zero day attacks against Java. 7u11 followed the 7u10 update by less than a month. Both 7u10 and 7u11 were intended to make Java more secure through the use of a new security control. 7u10 was exploited, and now the 7u11 update has been publicly reported to be at risk as well.

Oracle Speaks

In a call made publicly available by Oracle, the leaders of the Java development group took up the issue of what's wrong with Java today.

"We have to fix Java, and we have been doing that," Oracle Java security lead Milton Smith said during the call.

Smith highlighted the new security slider that debuted in the 7u10 release as being a positive step forward. He also identified the core focus for his team's security efforts.

"A lot of the things we're looking at focus on Java in the browser," Smith said. "That's where we have seen most of the weakness with Java, and that is the concern we are targeting."

While Smith aimed to strike a positive tone about the future direction of Java security, those in the security research community are not as optimistic. HD Moore, CSO of Rapid7 and chief architect of the Metasploit framework, told eSecurity Planet that in his view Smith did not inspire any confidence that Oracle was on the right track or applying the right resources to the problem.

Smith made a number of excuses during the call, including noting that the Java security group is small, that it is difficult to get the message out and that Smith himself is still a little new to the role, Moore pointed out. "It didn't sound like Oracle was providing much support for this team, lead alone bringing in experts on SDLC or security response."

Better Communication Needed

While few actual tangible fixes were discussed during the Java security call, Smith repeatedly highlighted the Java 7u10 update which provided improved controls and a Java security slider.

"Unfortunately all of these features had little impact on the most recent zero-day exploit, which had to be fixed by 7u11," Moore said.

Moore labeled Oracle's recent Java security issues a "communications problem" and said users were not aware of the new features.

"In general, no tangible answers were provided to any of the key questions," Moore said. "The discussion around auto-updates went around for a bit and finally ended up with a discussion of whether it would fit into a Java 8 or Java 9 release."

Andrew Storms, director of security operations for nCircle, echoed Moore's lack of excitement about Oracle's Java security plans. Storms described the Java security discussion as pretty lackluster.

"It's good to finally see Oracle acknowledge that they have a seriousness of the situation," Storms said. "Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb."

[kevkrom]

I work a lot with server-side Java, but there is NO WAY I would advocate using Java in the browser.

I was one of the earliest adopters of Java in the world outside of Sun Microsystems, amazed by the active content that could be added to a web page using the JVM. It saddens me that as of several years ago, I make exactly the same recommendation as above.

[Hardraade]

The best thing Oracle could do for the world would be to give away all the patents it has stolen/eaten to some open foundation, put down all its former empleyees - anyone with a molecule of the rank stink of Oracle on them, and then for the rest collective suicide.

[central_va]

Theoretically any system that uses pre-complied pseudo code that is executed by a virtual machine could allow reflection....

[Ingtar]

PHB’s PHB is the hacker in that scenario, I believe.

[GeronL]

freeping on an xbox and no java or anything else useful

[Future Snake Eater]

Put a bit more simply, RAM is your desk. You can have all kinds of stuff laid out on it for working on. The larger your desk (more RAM) the more you can work on easily and quickly. Your filing cabinet is where you permanently store the files and the work you've done--this is your hard drive. It takes you time to move from your desk to your filing cabinet, find the file, then put it on your desk for working.

RAM is more-or-less right there, whereas hard drive data has to be found and transferred into RAM for work to be done.

[RJS1950]

I would echo that remark. Java has been hyped from the beginning as the language of the web when in fact it really is not. It is true that when it was first released, Java was leaps and bounds above C++ and some of the other options out there for web programming which at that time was fairly new. There are now other, better options, designed for programming the web and web browsers. Java is a great server-side language but not so good for the web and browsers.

[RJS1950]

Yes, C# uses reflection and reflection is a useful and valid tool.

Whether it is C# or Java, the use of reflection is only as secure as the knowledge and attention that the programmer or team that uses it gives to securing it as well as judicious use of the reflection class.

[RJS1950]

Oracle is not always all that good with its customer support anyway. They make it difficult to do the right things and frequently ignore that which does not pertain to their bottom line. When Oracle bought Java, there was a bit of discussion about how well they would support the syatem and keep it up to date. Any programming language application is only as secure as the knowledge and proficiency of the developer(s) who build it.

[ShorelineMike]

So .. an outsider (hacker) can be called by dilbert or the hacker IS dilbert?

An outsider [think Catbert, the evil HR director of OtherBigCorp] can call upon Dilbert and use his reflection capabilities for OtherBigCorp's own purposes.

[2 Kool 2 Be 4-Gotten]

Seems like they need to turn off reflection, self-awareness which would then trigger or put the onus on developers of Java apps to rewrite their stuff in such a way that those features aren’t needed.

I have no idea or how hard that would be for the various owners of the various apps.

Maybe the reflection/self-awareness only gets turned off in the context of running in a web browser but can be enabled in other use cases.

[knarf]

This is all so ... soap operish.

Some things are best left to they that speak the language and understand the natives/customs

[AllAmericanGirl44]

Wow, really?

A bit harsh, but hey, that’s just me.

[Hardraade]

Basically, Oracle destroys everything it touches. It’s also a fount of corruption and scamming. Let it get its hands on a governemt contract and watch the money disappear while nothing of value gets delivered.

Sometimes I think a basic requirement for an Oracle executive is to have some experience of prison life, or as close as possible.

[Mr. Jeeves]

Oracle: 'We Have to Fix Java'

OK, sell it. :)

[AllAmericanGirl44]

Well, all I do know is my ex is an exec there and he is
as upstanding as they come. Not sure about the rest of them!

[Gene Eric]

The only role I see for java is server side where it outshines most every other webtech. It’s a dead-ender client side where HTML5+ has taken over.