Java hacker boasts of finding two more unpatched holes

Filed Under: Featured, Oracle, Vulnerability

Serial Java fault-finder Adam Gowdiak has embarrassed Oracle yet again.

Gowdiak hit the headlines last year when he reported a vulnerability, waited for Oracle's response, and then upped the ante with a comeback vuln.

It's déjà vu all over again, with the Polish researcher publicly bragging about two brand-new vulnerabilities he's found even since Oracle's most recent patch just a week ago.

Gowdiak, who claims in his tagline to "bring security research to the new level," is critical of the way Oracle patched the latest hole.

He implies that although it locked the office door in update 7u11, Oracle left the entrance to the building open, which he considered as good as an invitation to find another way in.

MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite inspirational for us. However, instead of relying on this particular bug, we have decided to dig our own issues.

Not only has he gone after new issues, he's found them, and is proud to tell us:

As a result, two new security vulnerabilities were spotted in a recent version of Java SE 7 code and they were reported to Oracle today.

Is this the next stage of a slow-motion train crash showing that Oracle is worse at security than everyone else?

Or is Oracle just the technology company that techies love to hate?

After all, as some commenters on Naked Security have pointed out, Windows and Microsoft have lots of vulnerabilities found week after week, yet they don't face the same public opprobrium as Java and Oracle.

Why is that, do you think?

Is is that Oracle is seen as a megacorp whose ultrarich founder hasn't yet got in touch with his philanthropic side (like Bill Gates), or brought to market sleek consumer products that everyone wants to own (like the late Steve Jobs)?

Is Oracle still the corporate database vendor that remained in security denial after everyone else had started to admit that this whole vulnerabilities-plus-exploits-equals-money-from-malware business might deserve a bit more proactivity?

Or is it simply as-yet unrequited technical antipathy that Oracle, of all possible suitors, had the temerity to buy Sun, and with it all of Sun's beardily-beloved technology?

Whatever the reasons, Oracle does seem to be learning something about the sociology of patching widely-distributed, consumer-targeted software like Java: patch early, patch often, don't be in denial, and think of extra mitigations beyond what is strictly necessary.

Indeed, Oracle's recent Java updates have introduced, amongst other things:

• The 7u11 patch that came out faster than many people expected.

• Stricter default security settings for code signing.

• A control panel with a "lock Java out of your browser" option.

Ironically, the biggest backlash on Naked Security against our suggestions to lock Java out of your browser has come from sysadmins saying, "You can't expect a business network to ditch Java so suddenly, and you're being thoughtless to suggest it."

Perhaps there's a bit of truth in that. We accept it's harder for a large and heterogeneous network to adapt its Java settings abruptly than it is for a consumer.

Nevertheless, we still think it's an issue you may as well confront now, instead of simply invoking "legacy reasons" as an excuse for ignoring it for too long, as many companies did with IE 6.

→ Are you a sysadmin? Have you recently banned Java in corporate browsers? Or do you still have applets you simply must let everyone use? Send us an email, or leave a comment below, to tell us how you're getting along with Java...

, , , , ,

You might like

12 Responses to Java hacker boasts of finding two more unpatched holes

  1. Another Java security hole? Boy, this is déjà vu all over again.

    Now, you folks at Sophos are suggesting to disable Java from your browser and I couldn't agree more. On an interesting addition, I'm not sure if you know this, but with Mountain Lion (OS X 10.8) from Apple, Java is bundled in and 64-bit only, of course - so if you're running Google Chrome, (like I am) Java won't load anyway because it can't operate in a 32-bit browser, which is a good thing.

    Although, I always untick "Enable Java content in the browser" anyway, mostly because I don't need it for that, and while Chrome is not capable of running Java, Safari is, and why should I let it run it anyway, when I don't need it? The only reason why I have it installed is mostly because I want to run some Java games occasionally, so if that's what you're using Java for as well (on any system for that matter), disable Java content in your browser and you're good to go.

    Thanks for another heads-up, Paul!

  2. The inter-twining of Oracle and OpenJDK is quite complex these days. Is code from the OpenJDK collaboration making it's way into the Windows environment, where your main revenue line comes from, or is this an exclusive Windows/Oracle problem?

  3. Stump · 991 days ago

    Any company with an accounting department managing corporate bank accounts knows the pain. SO many banks require java as part of their 'security' mechanism.

    • flea-bite · 990 days ago

      Banking, payroll, etc. always require java. It's so frustrating that the pc's we try hardest to protect have to work in an environment that is the most vulnerable.

  4. anon · 991 days ago

    MOD ban java

  5. Jon Fukumoto · 991 days ago

    Uninstall Java and leave it off. This is ridiculous!! Oracle's handling of Java is awful!! I have removed Java completely from my Mac and I'm never installing it. It's too risky.

    • Paul Ducklin · 990 days ago

      Locking Java out of your browser is almost certainly enough. The vast majority of the risk posed by Java is via applets in your browser, not via applications (which are IMO inherently no more or less risky than native OS X programs).

      Admittedly, uninstalling the the whole shooting match, including the entire JRE (runtime), is one way to be sure that Java won't run in your browser.

      But those who want or need Java installed (for software development, perhaps for Android) don't have to throw out the baby with the bathwater.

  6. Noize · 990 days ago

    Haha, I like this! +1

    Don't think Microsoft and Windows aren't getting bad looks from their Vulnerabilities. Nobody relizes that Linux is the way to go... It becomes user error when a virus gets on linux, unless it's a kernel vulnerability. The word should go out, Windows has a lot more vulnerabilities then OS X and Linux. This is also due to the dumbfounded users of windows and OS X. All you have to do, is create a big fuss about it in the media, and the whole view of a product or item can be reversed into a downward spiral.

    • Paul Ducklin · 990 days ago

      Well, there are a lot of insecure internet-facing Linux servers out there, infected with exploit packs or malicious JavaScript, waiting for Windows and Mac users to come visiting sites they think they can trust, perhaps even sites they could and did trust yesterday...

      ...only to find malware shoved in their faces.

      Remember that a lot of the vulns in "Windows" are not in the OS itself, but in one of the software components on top of it. So if you're going to count every Word or IIS or ShrePoint vuln as if they were Windows holes, you probably have to count a lot of third-party application holes as if they were in Linux itself.

  7. Alex · 990 days ago

    I guess that these exploits affects only java code that you download and run like applets, what about application-servers like Tomcat or Glassfish?
    I believe that the Enterprise world of JEE is still a valid environment to rely on.
    Do you at Sophos agree?

  8. Adam · 983 days ago

    Once again... for an enterprise domain, does anyone know of a way to disable Java for the web browser for all users on the domain? One can easily find instructions for doing it for oneself, but I have yet to see a way to do it across an enterprise. Sending out instructions to users seems more along the lines of "Hit Send and pray for the best."

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog