Oracle Java fails at security in new and creative ways

Filed Under: Featured, Java, Malware, Oracle, Podcast

CC-Oracle-PeterMakinski170Oracle Java, easily the most attacked and successfully exploited browser plugin, is on my radar again after finding new ways to fail at security.

The first sign of trouble recently was posted on Jerry Jongerius's site, Duckware. He described the embarrassingly broken code signing implementation in the Java Runtime Environment (JRE).

The purpose of code signing is to cryptographically ensure that you can identify who created a program and that it hasn't been tampered with by any third parties.

For example, Oracle offers a test applet (applets are Java programs that run in your browser) to determine whether your version of Java is update to date.

When you download the applet with Java, you are prompted to run the applet with a warning that Java applets can be dangerous, the name of the applet, the publisher and the URL serving it to you.

JavaWarning500

While the name can be anything, it is usually there to remind you of why you want to run this Java program.

The publisher should provide a clue as to whether it is from the expected source and the URL verifies that it is coming from the expected site.

What Jerry discovered is that you can forge both the application name and the URL to be anything you want. In essence, they're doing it wrong.

Similar to the Android "Master Key" key flaw this summer, flaws in application signing could be used by malware authors to load malicious applets.

Even worse, signed Java applets run with full privileges, largely removing all the security advantages of the language's much touted sandboxing technology.

Now Oracle is rolling out another misguided attempt at shoring up Java security.

OraceDRS250Because they intend on discontinuing one of the most popular versions of Java (1.6) in April 2014 (a bad month for Java 1.6 Windows XP users) they decided to build a bit of a bridge for enterprise users called "Deployment Rule Sets".

Oracle's concept is that enterprises who have a certificate for signing Java applets will be able to sign a policy for their outdated applets that allows them to continue to operate insecurely, even if the device is running a more modern version of Java that prohibits these behaviors.

Wow.

What a dream for attackers who deliver malicious applets as a means of delivering malware to your PC/Mac.

It's a way to disable security warnings that in no way deters cybercriminals, but is too complicated for most organizations to manage and deploy.

This feature of course offers no security benefits at all to normal Java users and arguably very little for corporate customers.

Worse yet, everyone's Java installation (if you are running a recent enough version) will be vulnerable to attackers exploiting the "feature."

All you need to do is digitally sign a package containing a policy to disable most security restrictions.

There is a long history of both wrongly issued certificates and stolen certificates being used to sign malware.

These signatures aren't just valid inside your company; if they are included in a Java applet they can apply anywhere.

The only possible penalty for deploying one of these policies in the wild to do harm is the revocation of your signing certificate.

If you're a crook and have either stolen a certificate from an infected PC or have convinced a certificate authority you might want to publish legitimate apps you've got nothing to lose.

This addition to the crazy maze of security options present in varying versions of Java is enough to make your head spin.

If we have learned anything over the years, complexity is the enemy of security. We must design security technologies that just "do the right thing" and don't require Byzantine security processes by the user.

Unfortunately, Oracle has chosen a different path.

So, I stand by my advice to disable Java whenever possible. If you haven't already, read our post on how to disable Java in your browser.

Want to know more about Java, Javascript and what Duck and I think you should do to stay secure? Listen to our podcast: Techknow - All about Java:

Play now:

(31 August 2012, duration 16'19", size 11MB)

Download for later:

Sophos Techknow - All about Java (MP3)

If you have any remaining doubts about Oracle's commitment to security, consider how it is still trying to install the Ask toolbar when you download updates to Java.

Apparently $37.2 billion in revenue isn't enough to not clutter your browser's toolbar and increase the attack surface of your browser in the process.

, , , , , ,

You might like

20 Responses to Oracle Java fails at security in new and creative ways

  1. Joe Average can just remove Java. For corporate environments where some critical app requires Java, what's missing is more control. Not mucking about with certificates, though. That's just complexity. Specifically, browsers need to be able to easily whitelist the required URLs which require Java, blocking its use elsewhere. I'm stunned this isn't available.

    • 2072 · 340 days ago

      That's a nice idea indeed. Even for other plugins than Java. Most browser plugins require full access to the web pages you visit, which can be quite dangerous as you authorise them to do whatever they want with your data (sending them to a third party for example)...

      We should be able to block or authorize add-ons on a per-site basis. Either allow an add-on all websites by default and block it for a few specific URLs or the opposite: block an add-on by default and authorise it just on a few websites...

    • Nigel · 340 days ago

      "Not mucking about with certificates, though. That's just complexity."

      Do you mean, "That's just complicated."? I can't tell for certain because I'm not an expert, and maybe there's something about certificates that I'm missing. But I do know that In the context of the article, "complexity" means something very different. It's not synonymous with "complicated".

      • I think I mean complexity. Certificates extend the scope of the Java configuration, thus making configuration more complex. Certificate use may or may not also be complicated, depending on how at ease one is with preparing, creating and distributing them!

  2. I'm not smart at all when it comes to computers but don't we need Java to run certain apps on our computers? And if it is so dangerous how will we run the apps we want and need if we get rid of it?

    • Cheryl · 340 days ago

      That would be my question, as well. Is there an alternative to Java? I play a few games in Facebook and wonder if by disabling Java there will be certain games I just won't be able to play...

    • Nigel · 340 days ago

      You don't need to remove Java to protect yourself. Just disable it.

      To disable the Java applet in your browser, look here: http://nakedsecurity.sophos.com/?s=disable+java

      If you need to disable Java for your operating system, do a web search for "disable Java for (your OS)".

      If you're not sure whether you need Java, disabling it is the way to go. I don't know what system you're using, but in OS X if you try to run an app that requires Java and it has been disabled, the system will let you know. I imagine other systems work in a similar way. In that case, you just enable it, run the Java app, and then disable it when you're done.

    • Don · 340 days ago

      There are extremely few apps that an average home user would ever need to run that require Java so the chances of them needing it is extremely small. Uninstall it and don't worry about it. If you run into an app that requires Java it will notify you that you are missing a plugin. At that point one can determine if that app is worth running or not and install it if they absolutely have to, but the chances of that happening are extremely slim.

      I'm well beyond being an "average" user and I haven't haven't needed Java for several years. I never install it and don't miss it at all.

    • Chester Wisniewski · 340 days ago

      Most likely no Kim. There is another technology called JavaScript which is vital for most web pages to work. Java is not related to JavaScript, despite the name. The only mainstream thing I am aware of that requires Java is the game Minecraft.

  3. Randall · 340 days ago

    Totally agree with Dave above. We are shackled with legacy software that requires old versions of Java. Our help desk spends a lot of time undoing the work of periodic security updates, explaining to users how to force the use of insecure software just so they can continue to do their jobs.

  4. Steve · 340 days ago

    So, where did the discontinuing Java 6 in April 2014 come from?
    It looks like support for Java 6 is already been pulled unless you pay Oracle (a lot of ?) money

  5. spryte · 340 days ago

    Huh?
    Whatever happened to:
    Run > cmd > java -version
    ?

  6. Cheryl · 340 days ago

    Is there an alternative to Java? Do I need Java to play my games in Facebook? I keep getting reminders to upgrade to a new version but when I go to run the upgrade, it says I already have the latest version.

  7. JavaOne · 340 days ago

    I would love to see a demo of an attack that uses this the new "feature" of Deployment Rule Sets is used to disable the security restrictions of clients. Is there one that exists?

    • Chester Wisniewski · 340 days ago

      I have not seen it exploited yet, but we will keep our eyes open.

  8. asdadasdsada · 339 days ago

    as long X fails, the Y will fail too...

    X = java.
    Y = mobile OS.

  9. Just as I wanted (see my earlier comment): today I see http://www.theregister.co.uk/2013/09/13/java_depl... which points to http://docs.oracle.com/javase/7/docs/technotes/gu... and allows one to set 'deployment rules'. One example is that of whitelisting sites.

    This could be very useful, although I see that the ruleset "must be signed with a valid certificate from a trusted certificate authority" which sounds rather annoying ... :-/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.