Last week, another Java exploit hit the world. However this time, people did not just roll over and go back to sleep, the message was clear – disable Java. The Department of Homeland Security even chimed in on this issue, which was atypical. There is plenty of discussion on this issue: Krebs on Security, Oracle Blog, NIST website. Was this reaction reasonable?
Absolutely. The message is pretty clear here – Java’s vulnerabilities are a serious problem. I agree. Java is a risky environment, regardless of desktop, server other otherwise. Java has been the root cause of a lot of very serious vulnerabilities. Moreover, based on our experience at Anitian, many of the serious intrusions we have seen were the result of exploiting Java, specifically a desktop instance of JDK.
Java Vulnerabilities Analysis
I have written before that Java is no longer just a runtime, it has become a zero day attack platform (see Java and Adobe – A Hacker’s Best Friends). There are a few reasons for this assessment:
First, Java is a widely available runtime. A lot of software requires Java, so it is installed in a lot of places. Moreover, many users probably are not even aware they have Java. It comes pre-packaged with a lot of software.
Second, and perhaps most troubling, Oracle has not been the most diligent company when it comes to security. They have been slow to patch and in some cases, do not even patch the right things. Just last September, Oracle came under attack for a rather easy authentication exploit to their database systems (more info here).
Lastly, Java is powerful. Java as a language allows developers to do a lot. Part of the appeal of Java for programmers is the ease of use, the power of the components, and the vastness of the libraries. Java allows mediocre programmers do great things. It does not have the complexities of C or the pricetag of .NET. However, all these programming benefits can create security problems. A powerful tool in the hands of inexperienced users is a recipe for security problems.
On the other side of the equation are the hackers, and hackers like Java. They like Java a lot. The BlackHole and Nuclear Pack crimeware kits have lots of Java exploits. Some of the most sophisticated hacks and malware that has come out in the last few years has leveraged Java. Java empowers hackers because the runtimes can do a lot and do not require complex code. While Java itself might not be the intended target for the hack, Java gives the attacker a beachhead that can be used to drop files or obtain shell. With that access, the hacker can then install more tools and pivot on the infected host to go after other hosts.
However, Oracle deserves some praise for getting a patch to the latest vulnerability out quickly. Unfortunately, many people will not get that patch. Because Java is a third-party component, and many organizations do not aggressively patch third party components (and even fewer home users), the majority of users will remain running vulnerable versions of Java. The lack of third party patching is not Oracle’s fault. However, it would be nice if Oracle could play nice with Microsoft and start letting Windows Update patch Java. I do not see that happening any time in the near future.
Lastly, to compound this issue even further, Oracle’s patch actually only fixes one of the two seriousl vulnerabilities. This is described in greater detail here.
Advice to Oracle
It is time for Oracle to step up and make Java security a bigger priority. I realize that Java came to Oracle with the acquisition of Sun, but they own it now. Oracle has been arrogant about their products, acting as if security is a nuisance they address whenever it suits them. It is time for Oracle to face reality like the rest of us and admit they need to clean up Java as well as some of their other products (like PeopleSoft!)
This quick response to the latest vulnerability was a step in the right direction. Keep up the good work. Now, let’s hear from Oracle people on how they are making security a priority.
Lastly, it is time for Microsoft and Oracle to play nice with each other. Java is still out there and obviously is not going away. Oracle should go to Microsoft, make nice, and get Microsoft to start including patches to Java in Windows Updates. This could resolve a lot of the problems with Java in the world and give the crimeware makers some real indigestion.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com