Feeds

Oracle 'fesses up: Java security flaws more than storm in teacup

Remains silent on shifting crapware with its patches

Build a business case: developing custom apps

Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps.

In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated with Oracle's relative silence on the issue".

Oracle released a new version of Java 7 (Java 7u11) on 13 January designed to plug a zero-day vulnerability that has been exploited in the wild. The update was important because the exploit for the bug had been "weaponised" and bundled in widely available black-market hacking toolkits in the week prior to Oracle's emergency out-of-band update.

In an advisory, Oracle explained that the update switched default Java security settings to "High" so that users will be prompted to allow cryptographically self-signed, or completely unsigned, Java applets to run.

The security flap generated plenty of publicity, especially after the US Department of Homeland Security warned that despite the updates, Java remained a weak target in browsers. Several antivirus firms, including F-Secure and Sophos, advised users to disable Java plugins for their main browser to minimise exposure to future attacks.

Metasploit founder HD Moore warned Oracle was still sitting on a backlog of Java flaws that will take up to two years to patch, even without the discovery of new flaws.

Oracle clearly doesn't care much for this advice or observations. However the facts of the matter have limited it to stating that the vulnerability was limited to Java on the browser. It pointed out that server-side Java, desktop Java and embedded Java are immune from recent attacks, which broke the security seals on browser plugins and compromised victims' computers.

In a somewhat delayed communications offensive, Oracle uploaded a recording of a conference call (click here to listen to the MP3) between the Java User Group and two techies: the head of security for Java at Oracle Milton Smith and Doland Smith from the OpenJDK (Open Java Development Kit) Group. The call covered "Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage".

We listened so that you don't have to. You're welcome

El Reg's security desk sat through the 52-minute-long call.

Milton Smith started off by saying: "The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."

The talk frequently branched off into procedural discussions about topics such as whether or not to have a security session at the Java One conference and how to communicate with consumers. It also covered the possibility of automatic updates and touched on Oracle's much-criticised practice of bundling third-party crapware - such as a web search toolbar - with Java security updates.

Doland Smith sad he wasn't able to discuss the pushing of the Ask Toolbar onto users nor related security updates appearing from McAfee minutes after the official Java security patch was issued as it was a commercially sensitive issue. He criticised the media for putting out the "loose" message to uninstall Java while admitting there was a security issue with the runtime in web browsers.

The software giant described the conference call as the "tip of the iceberg of what will be done on the Java Security and communication fronts".

Security bods: Oracle has steep credibility hill to climb

Oracle’s first public admission that Java suffers security flaws was pretty stodgy fare that's thus far failed to turn around the generally negative view held by many in the infosec community towards the software giant.

“Oracle’s public admission that they have a security problem with the Java browser plugin is a step forward," said Andrew Storms, director of security operations for nCircle.

"It’s good to finally see Oracle acknowledge the seriousness of the situation. Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb."

Java has become an easy target for hackers. For example, the vulnerability recently patched by Oracle was exploited for five years in the high-profile Red October espionage against government agencies in the former Soviet Union.

But Oracle's conference call failed to hint at these sorts of problems and lacked dynamism in general, said Storms.

“The content in the Java security discussion was pretty lacklustre," he added.

"You’ve got to wonder what role the Oracle press team has had in the company’s response to all the security criticism they’ve had lately. I felt bad for the people representing Oracle on this call because they didn’t sound well-prepared.

"They didn’t sound like they had a clear idea of what to do, what to say or even exactly who they were speaking to."

The historic antipathy between security researchers and Oracle is partially explained by the software giant's often painfully slow acknowledgement of security problems as well as its staggered release of patches - both for Java and for its database software and other enterprise applications.

Rather than working together with security experts - such as David Litchfield - who discover and report dangerous programming flaws, Oracle has been, by several accounts, difficult, unresponsive and occasionally combative.

Oracle needs to take a leaf out of Microsoft's book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs.

Robert "RSnake" Hansen, web application security guru and chief exec of CEO of Falling Rock Networks, joked: "At what point do we get to put Java on the stopbadware list?" ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.