Experts prod Oracle to fix broken Java security
Take a mulligan, redesign Java, urges one
Computerworld - Beset by some very public vulnerabilities in Java, and apparently unable to properly patch those bugs, Oracle must dramatically step up its security game, experts said Monday.
"Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it, and those concerns leak over onto every Oracle product," said Andrew Storms, director of security operations at nCircle Security, in an email.
Storms and others were reacting to the latest "zero-day" vulnerability in Java's browser plug-in, a flaw spotted two weeks ago being exploited by several crimeware kits. Oracle patched the bug on Jan. 13, but researchers quickly pointed out that the patch itself was flawed.
Even after Oracle patched the vulnerability, the U.S. Computer Emergency Readiness Team (US-CERT), part of the U.S. Department of Homeland Security, took the highly unusual step of continuing to urge users to disable Java in their browsers, citing "the number and severity of this and prior Java vulnerabilities" as its reason.
In email interviews, several experts offered explanations for Oracle's inability to properly patch the latest vulnerability, and urged the company to adopt more rigorous development practices, much as did Microsoft almost a decade ago.
Adam Gowdiak, founder and CEO of Security Explorations, has reported dozens of Java vulnerabilities to Oracle. He was the first to assert that the company's emergency update of Jan. 13 introduced two new bugs, and has claimed Oracle should have patched the latest publicly-exploited vulnerability when it addressed an August 2012 flaw in the same section of Java's code.
Today Gowdiak argued that Oracle has been guilty of sloppy work, then cited other failings. "The incidents related to zero-day Java attack code exploiting security issues already known to Oracle show that the company's three-times-a-year Java patch release cycle does not really protect the security and privacy of Java users," Gowdiak said.
Storms chimed in with some harsh criticism, as well.
"Obviously, there's something broken in the Java development or design cycles," Storms said. "Oracle needs to wake up and learn secure software development. [But] that's probably a pipe-dream [because] as usual Oracle seems to be aloof and uninterested in the plight of their customers."
HD Moore, the chief security officer at Rapid7 and the creator of Metasploit, an open-source penetration testing toolkit used by both legitimate and criminal hackers, was willing to cut Oracle some slack on last week's flawed update.
"We have to keep in mind that it was released under duress and did help with the immediate problem of consumers being compromised," said Moore of Oracle's rapid turn-around. He also assumed Oracle engineers are continuing to work the problem for a higher-quality update. "But given its complexity, and requirements with backward compatibility, it may be a while before this class of flaws is finally put to rest," Moore added.
All three experts called on Oracle to adopt a Microsoft-esque approach, where security is an integral part of the development process.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts