Oracle 'fesses up: Java security flaws more than storm in teacup

Remains silent on shifting crapware with its patches

Top 5 reasons to deploy VMware with Tegile

Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps.

In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated with Oracle's relative silence on the issue".

Oracle released a new version of Java 7 (Java 7u11) on 13 January designed to plug a zero-day vulnerability that has been exploited in the wild. The update was important because the exploit for the bug had been "weaponised" and bundled in widely available black-market hacking toolkits in the week prior to Oracle's emergency out-of-band update.

In an advisory, Oracle explained that the update switched default Java security settings to "High" so that users will be prompted to allow cryptographically self-signed, or completely unsigned, Java applets to run.

The security flap generated plenty of publicity, especially after the US Department of Homeland Security warned that despite the updates, Java remained a weak target in browsers. Several antivirus firms, including F-Secure and Sophos, advised users to disable Java plugins for their main browser to minimise exposure to future attacks.

Metasploit founder HD Moore warned Oracle was still sitting on a backlog of Java flaws that will take up to two years to patch, even without the discovery of new flaws.

Oracle clearly doesn't care much for this advice or observations. However the facts of the matter have limited it to stating that the vulnerability was limited to Java on the browser. It pointed out that server-side Java, desktop Java and embedded Java are immune from recent attacks, which broke the security seals on browser plugins and compromised victims' computers.

In a somewhat delayed communications offensive, Oracle uploaded a recording of a conference call (click here to listen to the MP3) between the Java User Group and two techies: the head of security for Java at Oracle Milton Smith and Doland Smith from the OpenJDK (Open Java Development Kit) Group. The call covered "Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage".

We listened so that you don't have to. You're welcome

El Reg's security desk sat through the 52-minute-long call.

Milton Smith started off by saying: "The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."

The talk frequently branched off into procedural discussions about topics such as whether or not to have a security session at the Java One conference and how to communicate with consumers. It also covered the possibility of automatic updates and touched on Oracle's much-criticised practice of bundling third-party crapware - such as a web search toolbar - with Java security updates.

Doland Smith sad he wasn't able to discuss the pushing of the Ask Toolbar onto users nor related security updates appearing from McAfee minutes after the official Java security patch was issued as it was a commercially sensitive issue. He criticised the media for putting out the "loose" message to uninstall Java while admitting there was a security issue with the runtime in web browsers.

The software giant described the conference call as the "tip of the iceberg of what will be done on the Java Security and communication fronts".

Security bods: Oracle has steep credibility hill to climb

Oracle’s first public admission that Java suffers security flaws was pretty stodgy fare that's thus far failed to turn around the generally negative view held by many in the infosec community towards the software giant.

“Oracle’s public admission that they have a security problem with the Java browser plugin is a step forward," said Andrew Storms, director of security operations for nCircle.

"It’s good to finally see Oracle acknowledge the seriousness of the situation. Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb."

Java has become an easy target for hackers. For example, the vulnerability recently patched by Oracle was exploited for five years in the high-profile Red October espionage against government agencies in the former Soviet Union.

But Oracle's conference call failed to hint at these sorts of problems and lacked dynamism in general, said Storms.

“The content in the Java security discussion was pretty lacklustre," he added.

"You’ve got to wonder what role the Oracle press team has had in the company’s response to all the security criticism they’ve had lately. I felt bad for the people representing Oracle on this call because they didn’t sound well-prepared.

"They didn’t sound like they had a clear idea of what to do, what to say or even exactly who they were speaking to."

The historic antipathy between security researchers and Oracle is partially explained by the software giant's often painfully slow acknowledgement of security problems as well as its staggered release of patches - both for Java and for its database software and other enterprise applications.

Rather than working together with security experts - such as David Litchfield - who discover and report dangerous programming flaws, Oracle has been, by several accounts, difficult, unresponsive and occasionally combative.

Oracle needs to take a leaf out of Microsoft's book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs.

Robert "RSnake" Hansen, web application security guru and chief exec of CEO of Falling Rock Networks, joked: "At what point do we get to put Java on the stopbadware list?" ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.