Oracle has promised to work harder to make Java more secure.
Given the constant flood of high-profile, heavily-exploited vulnerabilities, are Oracle’s new ideas going to be enough to save this piece of software from drowning in bad vibes?
In a lengthy blog post last week, the head of Java development, Nandini Ramani, summed up what’s been done to “address issues with the security-worthiness of Java”.
A passing mention is made to “several reports of security vulnerabilities in Java”.
That “several” refers to a constant barrage of vulnerabilities, patches, zero-days, more patches and more vulnerabilities, going back several years.
Java has been been home to a glut of security dangers for a long time now. In our Virus Bulletin prevalence reports, we combine data from a wide range of sources, and Java has been in the top five all this year and was the third biggest detection type overall in 2012.
Thanks to its cross-platform design, Java holes can hit multiple operating systems and have been behind some of the most high-profile and damaging attacks of the last year or two.
There are a few positive things to note in Oracle’s blog post, such as the separation of client and server-side, and improved (though far from perfect) sandboxing, as many vulnerability experts have conceded.
Increasing patch releases to four times a year (plus extras in emergencies) is, of course, a step in the right direction, although the industry widely agrees that monthly would be better. Sure, frequent patch cycles are a headache for admins, but surely it’s better to have a small headache once a month than a massive migraine four times a year.
So, I suppose it is a good thing that Oracle are trying to face up to the problems with Java, even if it is pushing much of the blame onto issues at Sun, before the Oracle acquisition. It’s taken too long to get this far though, and things are still moving far too slowly.
The standard advice from Naked Security has long been to disable Java in the browser at least, and to avoid installing it at all if it’s not *absolutely* required.
If something is this leaky and dangerous, there must be a better option. Granted, in some businesses with creaky legacy setups, it isn’t easy to adopt a new approach, but given how long this has been a major issue, many must be at least considering moving away from the platform.
For some time now, numerous voices have advocated dropping Java and called for its rapid retirement, as the tragic roller-coaster of disasters has unfolded. Now Oracle says they’re stepping up to the plate, ready to do what they can to fix it, but surely it’s a case of too little, too late.
If Java is entrenched in your business, I’d suggest getting busy with looking for an alternative. If you’re still allowing it in your browser, just stop now.
6 comments on “Not good enough, Oracle – promises to secure Java are too little, too late”
For those of whom java is a necessity, you have to wonder how much vulnerability would remain if people were to adopt the limited user account model more on Windows. As primarily a Windows user myself, I'm genuinely curious about this. For example, how susceptible has Linux been to Java exploits when Java has been running as a regular user account, which is more typically the case as compared to Windows standard usage model?
UAC is one step in that direction, but I have to wonder how much more protection is gained by using an actual limited user account.
You could also disable Java in the Internet zone of IE and only allow it in trusted sites. Create a process to add necessary sites to the trusted sites zone in IE. Then disable Java on all 3rd party browsers.
I'd also have liked to see some words regarding the Ask.com crapware bundled with Java…
flaky software, whether free or not is still flaky. Why can't they perform updates or upkeep on a monthly basis? I still have yet to install Java on my computer with Windows 7 even though I have programs that need it. Its sad when you KNOW software can bring harm but you can't do anything about it.
I do agree that the security updates have been a little late. But, better late than never.