Not good enough, Oracle - promises to secure Java are too little, too late

Filed Under: Featured, Java, Oracle, Security threats, Vulnerability, Web Browsers

java-170Oracle has promised to work harder to make Java more secure.

Given the constant flood of high-profile, heavily-exploited vulnerabilities, are Oracle's new ideas going to be enough to save this piece of software from drowning in bad vibes?

In a lengthy blog post last week, the head of Java development, Nandini Ramani, summed up what's been done to "address issues with the security-worthiness of Java".

A passing mention is made to "several reports of security vulnerabilities in Java".

That "several" refers to a constant barrage of vulnerabilities, patches, zero-days, more patches and more vulnerabilities, going back several years.

Oracle blog post

Java has been been home to a glut of security dangers for a long time now. In our Virus Bulletin prevalence reports, we combine data from a wide range of sources, and Java has been in the top five all this year and was the third biggest detection type overall in 2012.

Thanks to its cross-platform design, Java holes can hit multiple operating systems and have been behind some of the most high-profile and damaging attacks of the last year or two.

There are a few positive things to note in Oracle's blog post, such as the separation of client and server-side, and improved (though far from perfect) sandboxing, as many vulnerability experts have conceded.

Increasing patch releases to four times a year (plus extras in emergencies) is, of course, a step in the right direction, although the industry widely agrees that monthly would be better. Sure, frequent patch cycles are a headache for admins, but surely it's better to have a small headache once a month than a massive migraine four times a year.

So, I suppose it is a good thing that Oracle are trying to face up to the problems with Java, even if it is pushing much of the blame onto issues at Sun, before the Oracle acquisition. It's taken too long to get this far though, and things are still moving far too slowly.

spilt-coffee-170The standard advice from Naked Security has long been to disable Java in the browser at least, and to avoid installing it at all if it's not *absolutely* required.

If something is this leaky and dangerous, there must be a better option. Granted, in some businesses with creaky legacy setups, it isn't easy to adopt a new approach, but given how long this has been a major issue, many must be at least considering moving away from the platform.

For some time now, numerous voices have advocated dropping Java and called for its rapid retirement, as the tragic roller-coaster of disasters has unfolded. Now Oracle says they're stepping up to the plate, ready to do what they can to fix it, but surely it's a case of too little, too late.

If Java is entrenched in your business, I'd suggest getting busy with looking for an alternative. If you're still allowing it in your browser, just stop now.

, , , , ,

You might like

6 Responses to Not good enough, Oracle - promises to secure Java are too little, too late

  1. Binaryphile · 817 days ago

    For those of whom java is a necessity, you have to wonder how much vulnerability would remain if people were to adopt the limited user account model more on Windows. As primarily a Windows user myself, I'm genuinely curious about this. For example, how susceptible has Linux been to Java exploits when Java has been running as a regular user account, which is more typically the case as compared to Windows standard usage model?

    UAC is one step in that direction, but I have to wonder how much more protection is gained by using an actual limited user account.

  2. SuperMe · 817 days ago

    You could also disable Java in the Internet zone of IE and only allow it in trusted sites. Create a process to add necessary sites to the trusted sites zone in IE. Then disable Java on all 3rd party browsers.

  3. Marc · 816 days ago

    I'd also have liked to see some words regarding the crapware bundled with Java...

  4. James · 813 days ago

    The problem is that we are conditioning our users to run screaming from Java. So no amount of blog posts on a site that end users that still get Java and JavaScript confused are going to affect this. It is a free product and I doubt that Oracle will dump the amount of money need to fix it or fix the PR problem.

  5. roy jones jr · 811 days ago

    flaky software, whether free or not is still flaky. Why can't they perform updates or upkeep on a monthly basis? I still have yet to install Java on my computer with Windows 7 even though I have programs that need it. Its sad when you KNOW software can bring harm but you can't do anything about it.

  6. Seth · 781 days ago

    I do agree that the security updates have been a little late. But, better late than never.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.