Oracle 'fesses up: Java security flaws more than storm in teacup
Remains silent on shifting crapware with its patches
Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps.
In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated with Oracle's relative silence on the issue".
Oracle released a new version of Java 7 (Java 7u11) on 13 January designed to plug a zero-day vulnerability that has been exploited in the wild. The update was important because the exploit for the bug had been "weaponised" and bundled in widely available black-market hacking toolkits in the week prior to Oracle's
emergency out-of-band update.
In an advisory, Oracle explained that the update switched default Java security settings to "High" so that users will be prompted to allow cryptographically self-signed, or completely unsigned, Java applets to run.
The security flap generated plenty of publicity, especially after the US Department of Homeland Security warned that despite the updates, Java remained a weak target in browsers. Several antivirus firms, including F-Secure and Sophos, advised users to disable Java plugins for their main browser to minimise exposure to future attacks.
Metasploit founder HD Moore warned Oracle was still sitting on a backlog of Java flaws that will take up to two years to patch, even without the discovery of new flaws.
Oracle clearly doesn't care much for this advice or observations. However the facts of the matter have limited it to stating that the vulnerability was limited to Java on the browser. It pointed out that server-side Java, desktop Java and embedded Java are immune from recent attacks, which broke the security seals on browser plugins and compromised victims' computers.
In a somewhat delayed communications offensive, Oracle uploaded a recording of a conference call (click here to listen to the MP3) between the Java User Group and two techies: the head of security for Java at Oracle Milton Smith and Doland Smith from the OpenJDK (Open Java Development Kit) Group. The call covered "Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage".
We listened so that you don't have to. You're welcome
El Reg's security desk sat through the 52-minute-long call.
Milton Smith started off by saying: "The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."
The talk frequently branched off into procedural discussions about topics such as whether or not to have a security session at the Java One conference and how to communicate with consumers. It also covered the possibility of automatic updates and touched on Oracle's much-criticised practice of bundling third-party crapware - such as a web search toolbar - with Java security updates.
Doland Smith sad he wasn't able to discuss the pushing of the Ask Toolbar onto users nor related security updates appearing from McAfee minutes after the official Java security patch was issued as it was a commercially sensitive issue. He criticised the media for putting out the "loose" message to uninstall Java while admitting there was a security issue with the runtime in web browsers.
The software giant described the conference call as the "tip of the iceberg of what will be done on the Java Security and communication fronts".
Security bods: Oracle has steep credibility hill to climb
Oracle’s first public admission that Java suffers security flaws was pretty stodgy fare that's thus far failed to turn around the generally negative view held by many in the infosec community towards the software giant.
“Oracle’s public admission that they have a security problem with the Java browser plugin is a step forward," said Andrew Storms, director of security operations for nCircle.
"It’s good to finally see Oracle acknowledge the seriousness of the situation. Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb."
Java has become an easy target for hackers. For example, the vulnerability recently patched by Oracle was exploited for five years in the high-profile Red October espionage against government agencies in the former Soviet Union.
But Oracle's conference call failed to hint at these sorts of problems and lacked dynamism in general, said Storms.
“The content in the Java security discussion was pretty lacklustre," he added.
"You’ve got to wonder what role the Oracle press team has had in the company’s response to all the security criticism they’ve had lately. I felt bad for the people representing Oracle on this call because they didn’t sound well-prepared.
"They didn’t sound like they had a clear idea of what to do, what to say or even exactly who they were speaking to."
The historic antipathy between security researchers and Oracle is partially explained by the software giant's often painfully slow acknowledgement of security problems as well as its staggered release of patches - both for Java and for its database software and other enterprise applications.
Rather than working together with security experts - such as David Litchfield - who discover and report dangerous programming flaws, Oracle has been, by several accounts, difficult, unresponsive and occasionally combative.
Oracle needs to take a leaf out of Microsoft's book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs.
Robert "RSnake" Hansen, web application security guru and chief exec of CEO of Falling Rock Networks, joked: "At what point do we get to put Java on the stopbadware list?" ®