Over the course of the last two years, Oracle’s Java has been exploited time and again as hackers eviscerate the technology, seemingly at will.
As each exploit emerges against Java, Oracle typically responds within a short period of time with a security update, only to have the update exploited within days. While Oracle has pledged with its successive releases that it is improving Java security, the company has not publicly spoken out about the string of exploitation that has crippled confidence in Java in recent months. That is until now.
“As many of you are keenly aware, there has been a veritable media firestorm around the recent Java vulnerability,” Reza Rahman, Java EE evangelist at Oracle, blogged. ” As you know, the vulnerability pertains to Java on the browser, not server-side Java, desktop Java or emdedded Java. You may also have been frustrated with Oracle’s relative silence on the issue.”
Oracle’s most recent Java patch was issued in early January. The Java 7 update 11 (7u11) release was triggered by zero day attacks against Java. 7u11 followed the 7u10 update by less than a month. Both 7u10 and 7u11 were intended to make Java more secure through the use of a new security control. 7u10 was exploited, and now the 7u11 update has been publicly reported to be at risk as well.
In a call made publicly available by Oracle, the leaders of the Java development group took up the issue of what’s wrong with Java today.
“We have to fix Java, and we have been doing that,” Oracle Java security lead Milton Smith said during the call.
Smith highlighted the new security slider that debuted in the 7u10 release as being a positive step forward. He also identified the core focus for his team’s security efforts.
“A lot of the things we’re looking at focus on Java in the browser,” Smith said. “That’s where we have seen most of the weakness with Java, and that is the concern we are targeting.”
While Smith aimed to strike a positive tone about the future direction of Java security, those in the security research community are not as optimistic. HD Moore, CSO of Rapid7 and chief architect of the Metasploit framework, told eSecurity Planet that in his view Smith did not inspire any confidence that Oracle was on the right track or applying the right resources to the problem.
Smith made a number of excuses during the call, including noting that the Java security group is small, that it is difficult to get the message out and that Smith himself is still a little new to the role, Moore pointed out. “It didn’t sound like Oracle was providing much support for this team, lead alone bringing in experts on SDLC or security response.”
Better Communication Needed
While few actual tangible fixes were discussed during the Java security call, Smith repeatedly highlighted the Java 7u10 update which provided improved controls and a Java security slider.
“Unfortunately all of these features had little impact on the most recent zero-day exploit, which had to be fixed by 7u11,” Moore said.
Moore labeled Oracle’s recent Java security issues a “communications problem” and said users were not aware of the new features.
“In general, no tangible answers were provided to any of the key questions,” Moore said. “The discussion around auto-updates went around for a bit and finally ended up with a discussion of whether it would fit into a Java 8 or Java 9 release.”
Andrew Storms, director of security operations for nCircle, echoed Moore’s lack of excitement about Oracle’s Java security plans. Storms described the Java security discussion as pretty lackluster.
“It’s good to finally see Oracle acknowledge that they have a seriousness of the situation,” Storms said. “Unfortunately, we needed this admission a year ago before their customers started losing trust in Java security. Now Oracle has a very steep credibility hill to climb.”