The sad state of Java security

The problem of Oracle is that they bought a technology that was stretched out to be actually “write once, run everywhere”. The Virtual Machine that provides this functionality had to be ported to all devices, and lately (in the past few years) also on mobile devices.

As written in the news, even if the “run everywhere” meant initially “run on every platform” – so cross platform – this concept has been now extended to actually run on platforms used by mobile devices as well (ubiquitous computing).

During the last years, Java evolved while it has been ported to the new platforms and devices. Each version of Java brought improvements and changes, sometimes not backward compatible. During this time, the applications that were created against a certain version of Java, for different reasons, were never updated to use the latest version. So, the users of these applications never upgraded their application and therefore they didn't have to update the Java version required by these programs.

 

The difference between updating and upgrading is a matter of interpretation by the implementer. Usually, the term update means to improve an existing version by fixing bugs or adding minor functionality. The main functionality, supported platforms and the interface remain the same in an update.

An upgrade, on the contrary, might change the interface, add completely new features, remove old features, add or remove support for new or old platforms. Depending on the product that gets upgraded, an upgrade might require to replace the older versions (take as the best example Antivirus software) or might coexist with older versions very well. 

 

The bad news

The bad news is that many of those applications remained stuck to a certain Java version because the companies that created them don’t exist anymore or require their customers/users to purchase again the product that was adapted to work with newer versions of Java.
That’s why we have so many dependencies on so many old Java versions in the wild.
And there is no chance to see a change in the near future.
Remember the saying “never change a running system” ? That’s exactly what is happening out there. Ten or fifteen years ago, when many of those applications were written, there was no danger that hackers will perform penetration testing on them with the only purpose of discovering vulnerabilities that can be exploited. Now we have this danger and Oracle sees itself in front of a big problem which has many faces.

On one side, they paid ~1 billion USD on Sun's Java with the hope to “run everywhere”.
Now, because they run everywhere, and they run so many versions, they are faced with the challenge to invest more and more in older versions of Java.

Another side of the problem is the fact that they have so much legacy code in Java that not many of the (remaining) developers are able to understand. So, even if they would like to fix the problems, it takes a while until the existing developers are able to understand the problems, mitigate the risks and fix the problems.

 

About Oracle's plans for the future

I was very happy to see the security initiative of Oracle called “Software Security Assurance” http://www.oracle.com/us/support/assurance/overview/index.html.

In an article called "Oracle Adds Java to Quarterly Updates, Defends Security Improvements", John Waters of ADT Magazine interviewed and quoted some Oracle executives in regard to the recent zero-day vulnerabilities of Java and what Oracle is doing to mitigate these issues. "We're doing everything possible to both introduce enhancements in terms of security features, as well as fixing all of the existing vulnerabilities across the board," Nandini Ramani, vice president of development in Oracle's Java Platform group said. "But ultimately people have to update" she added.

This means that they are trying, which is good…

My personal opinion is that it takes more to overcome those problems. Even if they fix the most critical vulnerabilities in the latest version of Java, the biggest problems still remain out there: the old versions.

Oracle says now that the users are (partially) responsible for the security issues of these old versions because they haven't upgraded. But how would a user upgrade a DVD player, TV, and other devices if the producer of the device is not providing updates?

The comment of Georges Saab, another Oracle executive, is the one that shows exactly how Oracle's executives are thinking in regard to fixing these issue: "[…]that’s part of what has made Java seem so vulnerable".

"Seem so vulnerable" ?

So all those zero days vulnerabilities that got exploited in large scale were just our imagination.Nice…

It is just the press and "the bad guys" that are just making Java "seem vulnerable". But this is not all…

Mr. Saab continues to ignore the reality and he argues "things are settling down". I dare to say that this is not the case. At least not yet. If this would be indeed the case, how come that they release 51 security fixes for Java? And nobody knows how many others were postponed because they are "since years" in the code.

I am glad and I applaud that Java 7 is being stabilized and made more secure.

Nevertheless, I continue to think that this security initiative of Oracle is just meant to silence the enterprise customers with big support contracts.

 

Now what?

If I were Oracle, I would not invest anymore in Java in the way they are doing it now, I would make the software available to 3rd parties for free or for a fee. This would not mean to make the code open source. It would be way to dangerous for the not upgraded applications which are full of vulnerabilities. 

Making it available would create an entirely new ecosystem with companies that can take care of the current version as well as of the legacy Java versions. I imagine that if the code would be available to companies that are able to deal with its complexity and have a way to make money out of it, they would be able to deal with the old problems against a service fee. And I am not talking only about the Java itself, also the legacy applications built against old Java versions can be reimplemented by these companies. 

The big question is how much would Oracle lose from this? I personally don't think that they would lose anything here, but I can't say what lays behind the scene.

Another possible problem is the revenue loss that they make today by distributing 3rd party software like toolbars, online scanners and others that Oracle tried so far.

 

 What do you think? Do you see any other solutions for these problems?

 

 

 

Sorin Mustaca

CSSLP,Security+, Project+

http://www.sorinmustaca.com 

 

via (ISC)2 Blog http://feedproxy.google.com/~r/isc2Blog/~3/PySN-N3T7TA/the-sad-state-of-java-security.html


© Copyright 2013 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch