Java hacker boasts of finding two more unpatched holes

Serial Java fault-finder Adam Gowdiak has embarrassed Oracle yet again.

Gowdiak hit the headlines last year when he reported a vulnerability, waited for Oracle’s response, and then upped the ante with a comeback vuln.

It’s déjà vu all over again, with the Polish researcher publicly bragging about two brand-new vulnerabilities he’s found even since Oracle’s most recent patch just a week ago.

Gowdiak, who claims in his tagline to “bring security research to the new level,” is critical of the way Oracle patched the latest hole.

He implies that although it locked the office door in update 7u11, Oracle left the entrance to the building open, which he considered as good as an invitation to find another way in.

MBeanInstantiator bug (or rather a lack of a fix for it) turned out to be quite inspirational for us. However, instead of relying on this particular bug, we have decided to dig our own issues.

Not only has he gone after new issues, he’s found them, and is proud to tell us:

As a result, two new security vulnerabilities were spotted in a recent version of Java SE 7 code and they were reported to Oracle today.

Is this the next stage of a slow-motion train crash showing that Oracle is worse at security than everyone else?

Or is Oracle just the technology company that techies love to hate?

After all, as some commenters on Naked Security have pointed out, Windows and Microsoft have lots of vulnerabilities found week after week, yet they don’t face the same public opprobrium as Java and Oracle.

Why is that, do you think?

Is is that Oracle is seen as a megacorp whose ultrarich founder hasn’t yet got in touch with his philanthropic side (like Bill Gates), or brought to market sleek consumer products that everyone wants to own (like the late Steve Jobs)?

Is Oracle still the corporate database vendor that remained in security denial after everyone else had started to admit that this whole vulnerabilities-plus-exploits-equals-money-from-malware business might deserve a bit more proactivity?

Or is it simply as-yet unrequited technical antipathy that Oracle, of all possible suitors, had the temerity to buy Sun, and with it all of Sun’s beardily-beloved technology?

Whatever the reasons, Oracle does seem to be learning something about the sociology of patching widely-distributed, consumer-targeted software like Java: patch early, patch often, don’t be in denial, and think of extra mitigations beyond what is strictly necessary.

Indeed, Oracle’s recent Java updates have introduced, amongst other things:

• The 7u11 patch that came out faster than many people expected.

• Stricter default security settings for code signing.

• A control panel with a “lock Java out of your browser” option.

Ironically, the biggest backlash on Naked Security against our suggestions to lock Java out of your browser has come from sysadmins saying, “You can’t expect a business network to ditch Java so suddenly, and you’re being thoughtless to suggest it.”

Perhaps there’s a bit of truth in that. We accept it’s harder for a large and heterogeneous network to adapt its Java settings abruptly than it is for a consumer.

Nevertheless, we still think it’s an issue you may as well confront now, instead of simply invoking “legacy reasons” as an excuse for ignoring it for too long, as many companies did with IE 6.

→ Are you a sysadmin? Have you recently banned Java in corporate browsers? Or do you still have applets you simply must let everyone use? Send us an email, or leave a comment below, to tell us how you’re getting along with Java…