We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
Experts prod Oracle to improve Java security

Experts prod Oracle to improve Java security

Take a mulligan, redesign Java, urges one

Article comments

Beset by some very public vulnerabilities in Java, and apparently unable to properly patch those bugs, Oracle must dramatically step up its security game, experts said Monday.

"Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it, and those concerns leak over onto every Oracle product," said Andrew Storms, director of security operations at nCircle Security, in an email.

Storms and others were reacting to the latest "zero-day" vulnerability in Java's browser plug-in, a flaw spotted two weeks ago being exploited by several crimeware kits. Oracle patched the bug on 13 January, but researchers quickly pointed out that the patch itself was flawed.

Even after Oracle patched the vulnerability, the US Computer Emergency Readiness Team (US-CERT), part of the US Department of Homeland Security, took the highly unusual step of continuing to urge users to disable Java in their browsers, citing "the number and severity of this and prior Java vulnerabilities" as its reason.

In email interviews, several experts offered explanations for Oracle's inability to properly patch the latest vulnerability, and urged the company to adopt more rigorous development practices, much as did Microsoft almost a decade ago.

Adam Gowdiak, founder and CEO of Security Explorations, has reported dozens of Java vulnerabilities to Oracle. He was the first to assert that the company's emergency update of Jan. 13 introduced two new bugs, and has claimed Oracle should have patched the latest publicly-exploited vulnerability when it addressed an August 2012 flaw in the same section of Java's code.

"Oracle needs to wake up and learn secure software development"

Today Gowdiak argued that Oracle has been guilty of sloppy work, then cited other failings. "The incidents related to zero-day Java attack code exploiting security issues already known to Oracle show that the company's three-times-a-year Java patch release cycle does not really protect the security and privacy of Java users," Gowdiak said.

Storms chimed in with some harsh criticism, as well.

"Obviously, there's something broken in the Java development or design cycles," Storms said. "Oracle needs to wake up and learn secure software development. [But] that's probably a pipe-dream [because] as usual Oracle seems to be aloof and uninterested in the plight of their customers."

HD Moore, the chief security officer at Rapid7 and the creator of Metasploit, an open-source penetration testing toolkit used by both legitimate and criminal hackers, was willing to cut Oracle some slack on last week's flawed update.

"We have to keep in mind that it was released under duress and did help with the immediate problem of consumers being compromised," said Moore of Oracle's rapid turn-around. He also assumed Oracle engineers are continuing to work the problem for a higher-quality update. "But given its complexity, and requirements with backward compatibility, it may be a while before this class of flaws is finally put to rest," Moore added.

All three experts called on Oracle to adopt a Microsoft-esque approach, where security is an integral part of the development process.

Called Security Development Lifecycle, or SDL, by Microsoft, the process includes regular code reviews as a product is created, and includes development practices designed to reduce the number of vulnerabilities. Windows Vista was the first Microsoft OS to use SDL start to finish.

While Oracle has something similar dubbed "Oracle Secure Coding Standards," and has published secure coding guidelines for third-party Java developers, it's unclear whether the firm has used its own Secure Coding Standards practices on Java, which it inherited from Sun Microsystems in 2010.

If it has, the experts said, it's not working.

"If Oracle wants Java to be successful within the browser, they will need to make serious investments into the security model," said Moore, who added that the Oracle Secure Coding Standards "hasn't been enough."

Flexibility has contributed to Java's security woes

"What Oracle needs now is something similar to the Microsoft Trustworthy Computing initiative," said Storms of the Redmond, Wash. developer's overarching security-minded project, launched in 2002 after then-CEO Bill Gates' famous memo. "[Oracle] needs an executive with a strong vision and the ability to force the organisation to build 'management by objectives' around security."

Gowdiak beat the same Java drum as Storms. "From what we have learned so far investigating Java SE 7 code, the overall impression is that certain new code features/new additions have not been the subject of any security review," he said.

Changing Java's security model won't be easy, Moore acknowledged, what with the need for backward compatibility; Java's ambition to be all things to all users and on all platforms, from enterprise and consumers to desktop, mobile and the Web; and its reliance on an interpreter-level sandbox.

Even its flexibility has contributed to its security woes. "Java has ridiculous amount of functionality," said Moore, who blamed its overreach for many of its problems.

His recommendation: Steal a page from Adobe, Google and Microsoft, which have instituted process-level sandboxes, and reduce the number of APIs that untrusted Java applets can access.

Demands that Oracle get a handle on Java security are not new. In mid-2012, before the two Java zero-days that forced Oracle to issue emergency updates, security professionals pointed to a host of problems, from infrequent updates to lax coding, that had pushed Java to the top of the exploit charts.

But even if Oracle heeds these calls, it's in for a long slog, experts warned.

"At the end of the day, Oracle's primary customer is the enterprise," said Moore. "In contrast with companies like Adobe, they are not well-positioned to handle security problems in their consumer products."

Share:

Comments

  • sumit kher I am basically not a programmer and I am comparatively new to Java technology so I was wondering what all topics should be covered up if i have to start java from the start and has any one studied or got any info regarding this 6 week java training online course httpwwwwiziqcomcourse12 and should we also have knowledge of C language before we further move on to Advance Java topics
Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *