Forgot your password?
typodupeerror
Bug Java Oracle Security

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch 320

Posted by samzenpus
from the long-road-coming dept.
An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
This discussion has been archived. No new comments can be posted.

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch

Comments Filter:
  • by buchner.johannes (1139593) on Monday January 14, 2013 @01:30PM (#42583129) Homepage Journal

    What happened? Most of these exploits seem to rely on rewriting methods / accessing byte code ... how about disabling that access for applets as a temporary measure?

  • by Anonymous Coward on Monday January 14, 2013 @01:35PM (#42583195)

    The solution is to stop running untrusted code in your browser. If you are using a browser's default configuration, then any time you go to a website, the browser will automatically download and execute software from the website, in the form of Flash, Java applets, javascript, and Silverlight, if you have it installed.

    And you think there aren't any vulnerabilities in any of those sandboxes?

  • by Todd Knarr (15451) on Monday January 14, 2013 @01:35PM (#42583205) Homepage

    The safest thing to do at this point is just assume that Java is always going to be vulnerable.

    That's not specific to Java, it applies to all software that's downloaded from an outside source and run on your local machine. That means Adobe Reader (PDF is simply a wrapper for a program written in Postscript), Flash (ditto, written in a special programming language) and even Javascript. It even includes downloaded TrueType fonts (the font hinting program they can include is just that, an executable program). Don't dismiss them just because they're sandboxed. Java was sandboxed, that didn't stop this vulnerability. Sandboxes are software and software has bugs in it, always. The only question is the number and severity of the bugs. The simpler the software, the fewer bugs there tend to be because there's fewer places for them to hide. Their favorite hiding place is in unexpected interactions between different parts of a piece of software, or between the software and the system it runs in, and simpler software has fewer and simpler interactions that're easier to get right.

    This even applies to software you buy from a vendor. The difference is that with bought software you tend to download it only a few times and always directly from the source. Contrast this with the Web, where you're downloading multiple pieces of software on virtually every Web page you hit with no idea where they're coming from (and, in the case of advertising networks, the place you download them from may not even know who or where they're coming from).

  • by bobdehnhardt (18286) on Monday January 14, 2013 @01:35PM (#42583215)

    Nothing is truly secure, it's simply in a state where the vulnerabilities haven't been discovered yet.

  • Fact free claims (Score:2, Insightful)

    by Anonymous Coward on Monday January 14, 2013 @01:37PM (#42583239)

    HD Moore, chief security officer with Rapid7, a company that helps businesses identify critical security vulnerabilities in their networks, said it could take two years for Oracle to fix all the security bugs that have currently been identified in the version of Java that is used for surfing the Web.

    How is Mr. Moore computing this interval? Nothing is offered in these stories about why it would take Oracle "two years" to "fix" the "security bugs".

  • by robmv (855035) on Monday January 14, 2013 @01:40PM (#42583267)

    I don't see think Java the platform is a security nightmare, but if someone doesn't need then don't install it, reduce your chances of being attacked with software you don use.

    Every Chrome/Firefox release has security vulnerabilities fixes, sometimes bugs as critical as this one, and I don't see people screaming "Remove Chrome, Disable Firefox...". All software has bugs, the problem with Java is the slow response of Oracle (and Sun at that time) fixing things, the update cycles are too long and only when a critical bug very loud on the media is found you see them pushing a fix.

  • by TheGratefulNet (143330) on Monday January 14, 2013 @01:40PM (#42583273)

    in short, 'mobile code' (stuff that runs and is sent across from them to you, to be run on YOUR platform) is untrustable by nature.

    I never liked the idea of it, not once. I think its all a security fail.

    'here, here's some binary code. run this. no, don't ask questions, just execute this, please'.

    why people thought that was a good idea is beyond me.

  • by Anonymous Coward on Monday January 14, 2013 @01:45PM (#42583321)

    The idea is that you are at the same time providing a full language and a sandbox. Together. Java is not inherently more or less secure than any other language (well, mostly), but the above premise is extremely hard to pull off correctly. Think of an applet as some piece of code you download and execute. Would you trust doing that in any special language? Think of Flash, how many flash issues have we seen? And Flash is "less complex" than Java.

  • Re:Two years? (Score:5, Insightful)

    by Anonymous Coward on Monday January 14, 2013 @01:48PM (#42583361)

    It looks like he randomly pulled a time frame. I cannot find an explanation for the two year estimate.

    Ah, but that's the beauty of it! Owing to the blind hatred of Java around these parts, he can pull any alarmist timeframe out of his ass at any time, and we're certainly not going to argue with him!!! If anyone does, we can accuse them of liking Java, and then we excommunicate them and shame them in the entire software engineering world until they can't ever get a job again as a warning to others! It's brilliant!

  • by gandhi_2 (1108023) on Monday January 14, 2013 @01:51PM (#42583399) Homepage

    Maybe if they'd spent less time trying to get people to install ask toolbar or somesuch bullshit....

  • by amicusNYCL (1538833) on Monday January 14, 2013 @01:59PM (#42583485)

    You think the chief security officer of Rapid7 doesn't understand the nature of Java, huh? It's not that he's trying to use language that most people would understand, but that he actually does not know that Java is a programming language and what the JVM actually is. That's some stunning logic you've got there. He sounds like he probably knows his stuff [rapid7.com].

  • by Anonymous Coward on Monday January 14, 2013 @02:02PM (#42583523)

    They did not do nothing about it, they did release a patch. (That patch was insufficient and that is a valid point to criticize Oracle.)

  • by Anonymous Coward on Monday January 14, 2013 @02:07PM (#42583567)

    Running programs from untrusted sources has always been unadvisable. I run java every day, and I'm not worried at all about getting compromised. Apps like ImageJ or UGENE, if they weren't written in Java would be written in a native language which would be just as dangerous to install. So don't be an idiot and run programs from random websites and you'll be fine.

    The problem is, the default Java runtime install includes a browser plugin that allows Java applets embedded in a webpage to run automatically. Code delivered this way is supposed to run inside a strict sandbox, but that sandbox has been repeatedly shown to be full of holes.

    (Desktop apps written in Java, including UGENE and ImageJ [and Eclipse, and the mostly-not-Java LibreOffice] do not use the browser plugin and will run fine even if the browser plugin is disabled or deleted completely. Your standard don't-be-an-idiot advice does indeed apply to these kinds of apps. But the JRE you installed to run ImageJ will install the browser plugin you never asked for and don't need.)

    Oracle really should consider making the browser plugin a separate, optional, non-default installation.

  • by bcrowell (177657) on Monday January 14, 2013 @02:53PM (#42584065) Homepage

    To paraphrase a well known saying, I think it's time for the internet to start seeing oracle as damage and route around it.

    One really simple thing that seems needed, and that should be extremely simple to do, would be a whitelist/blacklist plugin for java applets in firefox. The vast majority of java applet users are probably people who work in a bank, a law practice, or a medical office and only ever need to use a single applet. They need an option where they can blacklist all java applets by default, but allow applets from medicalrecords.com or whatever. These folks can't just disable the java plugin completely. Setting plugins.click_to_play to true is also a solution, but it breaks sites that use flash, and it doesn't protect the business against an office worker who clicks on stuff without thinking. (I tried setting this flag on my desktop box at home, and was too much of a nuisance. This is what I have flashblock for, and flashblock does the job better.)

    Another helpful step would be to make it easier for people to find out which versions of java they have on their computers and easier for them to avoid unsafe versions. On my ubuntu box, managing this is a total mess. If I do "java -version", it tells me I'm running java 1.6, which would be immune to this vulnerability. But if I check inside the directory /usr/lib/jvm , it turns out I actually have 1.5, 1.6, and 1.7 all installed. Well, which one is firefox using? I get zero results from dpkg --get-selections icedtea . In firefox, doing tools:add-ons:plugins tells me I have IcedTea-Web 1.2, which tells me nothing about the java version. Typing about:plugins in the url bar shows me literally two dozen version numbers. Googling turns up somebody's test app at http://javatester.org/version.html [javatester.org] , but (a) how do I know this guy isn't a black hat, and (b) even if that showed I was currently running 1.6, what happens if a future apt-get upgrade bumps me into 1.7?

    The final thing that should really happen IMO is that the OSS community should get off the java upgrade treadmill. The IcedTea [wikipedia.org] project should designate some version such as 1.6 as a high-security, stable version and focus some real effort on making that version secure. Distros should stop packaging 1.7+ until the dust settles -- and if that take a couple of years, who the heck cares? Hell, I wouldn't care if it took a decade, or forever.

  • Re:Two years? (Score:3, Insightful)

    by mcgrew (92797) * on Monday January 14, 2013 @02:55PM (#42584091) Homepage Journal

    Owing to the blind hatred of Java around these parts

    The hatred is by no means blind. And it isn't hatred so much as simple disgust.

  • Re:Two years? (Score:4, Insightful)

    by LordLimecat (1103839) on Monday January 14, 2013 @03:16PM (#42584283)

    and we're certainly not going to argue with him

    Why would we? Given that Java has been a security nightmare for 5+ years, 2 years to "secure" it (ie, doesnt have a critical exploit every 2 months) doesnt seem far fetched. If anything its conservative.

    Seriously, anyone want to take bets on whether in 2 years browsers will still treat java plugin as an unusual security case? (firefox / chrome auto-disable java unless its the most current version due to its massive problems).

  • by LordLimecat (1103839) on Monday January 14, 2013 @03:18PM (#42584311)

    Living is a risk. You have to quantify and try to mitigate the bigger risks.

    Java qualifies as a "bigger risk", and you mitigate it by uninstalling JRE.

  • by squiggleslash (241428) on Monday January 14, 2013 @03:18PM (#42584313) Homepage Journal

    Disuse leads to misuse.

    I'm serious. Java (on the web browser) got ignored, Flash (a more complex system so misleadingly more insecure) got the attention, and as a result Sun, and then Oracle, increasingly went to "phoning it in" as far as updating the Java plug-in went. If you want to know where the security holes are in any system, don't look at the parts that everyone uses, as those are the parts the security people are all over.

  • by Anonymous Coward on Monday January 14, 2013 @03:30PM (#42584461)

    Taking half a year to release the patch is also a valid point to criticize.

  • by VGPowerlord (621254) on Monday January 14, 2013 @04:00PM (#42584733)

    They did not do nothing about it, they did release a patch. (That patch was insufficient and that is a valid point to criticize Oracle.)

    Taking half a year to release the patch is also a valid point to criticize.

    The GP wasn't talking about the patch from Saturday.

    There was a previous patch [slashdot.org] in October that partly plugged the hole that was exploited this time, and Oracle should definitely be bashed for that.

  • by drkstr1 (2072368) on Monday January 14, 2013 @07:37PM (#42586953)
    It's just a widely deployed target (much like Flash, PDF, and Windows), which means the baddies get a better ROI on their efforts. It's nearly impossible to fully lock down a platform like that while still providing functionality above and beyond HTML/JS. Even less so because it's a valuable target with lots of attention.
  • by Anonymous Coward on Monday January 14, 2013 @09:29PM (#42587811)

    No, no, no and no.

    That is a terrible logical fallacy and everytime it comes up it gets to +5 insightful. This is simply just as broken as the "broken windows" fallacy (nothing to do with Microsoft Windows btw). And for whatever reason, even smart people fall for it.

    The fallacy you're falling for is basically the "shades of gray" fallacy. Instead of having two choices (black or white) you argue that it's all gray. But hence you're restricting the issue to something even more simplistic than before: now instead of two colors, there's only one (gray, no matter the shade).

    So instead of saying that there are technologies inherently more secure than others (for example OpenBSD hasn't been "rooted" nearly as many times as Windows XP), you're saying: "But OpenBSD had *two* remote-root bugs already found in 12 years and there are probably others, but we haven't found them yet. So it is impossible to create something secure".

    And by doing you're implying that OpenBSD or Windows XP: it doesn't matter, it's all gray. Because nothing is truly secure.

    And it's very sad. And it's a terrible fallacy to fall for.

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...