Oracle 'fesses up: Java security flaws more than storm in teacup

Remains silent on shifting crapware with its patches

Securing Web Applications Made Simple and Scalable

Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps.

In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated with Oracle's relative silence on the issue".

Oracle released a new version of Java 7 (Java 7u11) on 13 January designed to plug a zero-day vulnerability that has been exploited in the wild. The update was important because the exploit for the bug had been "weaponised" and bundled in widely available black-market hacking toolkits in the week prior to Oracle's emergency out-of-band update.

In an advisory, Oracle explained that the update switched default Java security settings to "High" so that users will be prompted to allow cryptographically self-signed, or completely unsigned, Java applets to run.

The security flap generated plenty of publicity, especially after the US Department of Homeland Security warned that despite the updates, Java remained a weak target in browsers. Several antivirus firms, including F-Secure and Sophos, advised users to disable Java plugins for their main browser to minimise exposure to future attacks.

Metasploit founder HD Moore warned Oracle was still sitting on a backlog of Java flaws that will take up to two years to patch, even without the discovery of new flaws.

Oracle clearly doesn't care much for this advice or observations. However the facts of the matter have limited it to stating that the vulnerability was limited to Java on the browser. It pointed out that server-side Java, desktop Java and embedded Java are immune from recent attacks, which broke the security seals on browser plugins and compromised victims' computers.

In a somewhat delayed communications offensive, Oracle uploaded a recording of a conference call (click here to listen to the MP3) between the Java User Group and two techies: the head of security for Java at Oracle Milton Smith and Doland Smith from the OpenJDK (Open Java Development Kit) Group. The call covered "Java security, bundled software installers, openness, communication and the technical/journalistic quality of recent press coverage".

We listened so that you don't have to. You're welcome

El Reg's security desk sat through the 52-minute-long call.

Milton Smith started off by saying: "The plan for Java security is really simple: it's to get Java fixed up, number one, and then, number two, to communicate our efforts widely."

The talk frequently branched off into procedural discussions about topics such as whether or not to have a security session at the Java One conference and how to communicate with consumers. It also covered the possibility of automatic updates and touched on Oracle's much-criticised practice of bundling third-party crapware - such as a web search toolbar - with Java security updates.

Doland Smith sad he wasn't able to discuss the pushing of the Ask Toolbar onto users nor related security updates appearing from McAfee minutes after the official Java security patch was issued as it was a commercially sensitive issue. He criticised the media for putting out the "loose" message to uninstall Java while admitting there was a security issue with the runtime in web browsers.

The software giant described the conference call as the "tip of the iceberg of what will be done on the Java Security and communication fronts".

Security bods: Oracle has steep credibility hill to climb

Oracle’s first public admission that Java suffers security flaws was pretty stodgy fare that's thus far failed to turn around the generally negative view held by many in the infosec community towards the software giant.

“Oracle’s public admission that they have a security problem with the Java browser plugin is a step forward," said Andrew Storms, director of security operations for nCircle.

"It’s good to finally see Oracle acknowledge the seriousness of the situation. Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb."

Java has become an easy target for hackers. For example, the vulnerability recently patched by Oracle was exploited for five years in the high-profile Red October espionage against government agencies in the former Soviet Union.

But Oracle's conference call failed to hint at these sorts of problems and lacked dynamism in general, said Storms.

“The content in the Java security discussion was pretty lacklustre," he added.

"You’ve got to wonder what role the Oracle press team has had in the company’s response to all the security criticism they’ve had lately. I felt bad for the people representing Oracle on this call because they didn’t sound well-prepared.

"They didn’t sound like they had a clear idea of what to do, what to say or even exactly who they were speaking to."

The historic antipathy between security researchers and Oracle is partially explained by the software giant's often painfully slow acknowledgement of security problems as well as its staggered release of patches - both for Java and for its database software and other enterprise applications.

Rather than working together with security experts - such as David Litchfield - who discover and report dangerous programming flaws, Oracle has been, by several accounts, difficult, unresponsive and occasionally combative.

Oracle needs to take a leaf out of Microsoft's book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs.

Robert "RSnake" Hansen, web application security guru and chief exec of CEO of Falling Rock Networks, joked: "At what point do we get to put Java on the stopbadware list?" ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story


Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.