Oracle is serious about Java security and is investing both in people and technology to make it happen. That’s the key message coming from Oracle as it releases its April Critical Patch Update (CPU) for Java, fixing no less than 41 vulnerabilities.
Of those 41 vulnerabilities, 18 of them carry the highest possible CVSS Base Score of 10.0, meaning they are highly critical issues that need to be patched rapidly. Included among the April CPU patches are four vulnerabilities that were publicly demonstrated at the Pwn2Own hacking challenge in March. The Pw2Own vulnerabilities were privately reported to Oracle via contest organizer HP TippingPoint ZDI (Zero Day Initiative). HP paid security researchers $20,000 for each of the Java exploits as part of Pwn2Own.
Hasan Rizvi, executive vice president Java and Oracle Fusion Middleware, told eSecurity Planet that one of the issues reported at the ZDI event was already known by Oracle. “It had been found internally and had already been scheduled for inclusion in the April 2013 Critical Patch Update,” he said.
With the new Java update, Oracle is now also going to lock down applets and require that code is signed before it can run, even for sandboxed apps.
“The majority of the recently disclosed vulnerabilities and vulnerabilities fixed in the Critical Patch Update for Java SE resulted in effectively allowing escape from the sandbox,” Rizvi said. “To a large extent, active exploitations of these vulnerabilities were taking advantage of the legacy practice that allowed sandboxed Java applets and web start applications to run without any warning to the user.”
Rizvi noted that the signing requirement will improve the security of Java users in a number of ways. For one, it will create some sense of accountability with Java code developers.
“Malicious attackers will be required to purchase a code-signing certificate,” he said. “Note that before issuing a code-signing certificate, certificate authorities generally perform certain checks to ensure the identity of the person applying for the certificates.”
Oracle will be able to identify where the certificate came from and will have the ability to blacklist the certificate and the application.
The signing certificates are standard X.509 code-signing certificates, Rizvi explained. They can be issued by any certificate authority (CA) recognized by Java. The Online Certificate Status Protocol (OCSP) that is implemented in all modern Web browsers can be used to validate a given certificate. OCSP checking will not be the default in the Java Control Panel until the June 2013 Java update.
In addition to OCSP validation, Oracle now maintains a private blacklist for both applications and certificates.
“This provides Oracle with the ability to quickly blacklist any malicious use of signed Java applets or web start applications even if CRL/OCSP checks have not been enabled by the Java user,” Rizvi said.
Code signing will also help users validate code as having come from a known and trusted source. Rizvi also expects that code signing will help eliminate “silent exploits” in which a user’s system may be compromised without warning.
Java Security Investments
In January of this year, Oracle developers made a candid admission that Java needed to be fixed. Since then, Oracle has invested in technology and personnel to make that happen. Rizvi noted that Oracle has hired and continues to hire across all areas of Java development, including security.
“At Oracle, ‘every developer is a security rifleman’ and additional security expertise is also found with security-focused developers, architects and managers for the purpose of enforcing security policies and dealing with security-sensitive components,” Rizvi said.
Development retains security ownership of the code it develops, he said. Additional security-specific resources are available within the development function and also from Oracle’s central security organization, which offers developers assistance with tools, ethical hacking and other areas.
Going a step further, Rizvi stressed that every Java developer at Oracle is trained on security, and compliance with security training is recorded in Oracle’s HR systems.
Procedures for peer review, automated testing and other functions exist within the Java development process, Rizvi said. “A feedback loop also exists to train developers on mistakes commonly made and over time further improve the security worthiness of the Java code.”