The sad state of Java security

I wrote many times about Java, their vulnerabilities, how to disable it… Just search in this blog for the term Java.

javaoracle

 

 

 

 

I’ve been asked many times why do I think that we are seeing these zero day vulnerabilities.

The problem

The problem of Oracle is that they bought a technology that was stretched out to be actually “write once, run everywhere”.
The Virtual Machine that provides this functionality had to be ported to all devices, and lately (in the past few years) also on mobile devices.
As written in the news, even if the “run everywhere” meant initially “run on every platform” – so cross platform, this concept has been now extended to actually run on platforms used by mobile devices as well (ubiquitous computing).
The difference between updating and upgrading is a matter of interpretation by the implementer. Usually, the term update means to improve an existing version by fixing bugs or adding minor functionality. The main functionality, supported platforms and the interface remain the same in an update. An upgrade, on the contrary, might change the interface, add completely new features, remove old features, add or remove support for new or old platforms. Depending on the product that gets upgraded, an upgrade might require to replace the older versions (take as the best example Antivirus software) or might coexist with older versions very well (Java, web browsers, etc.). There are many applications out there which were built years ago against a certain interface of Java. This means automatically, a certain version of Java.

The bad news

The bad news related to Java is that many of those applications remained stuck to a certain Java version because the companies that created them don’t exists anymore or require purchasing again the product, or any other reasons.
That’s why we have so many dependencies on so many Java versions in the wild.
And the even worse news is that there is no chance to see a change in the near future.
Remember the saying “never change a running system” ? That’s exactly what is happening out there. Ten or fifteen years ago when many of those applications were written, there was no danger of hacker to do pen-testing on them with the only purpose of discovering vulnerabilities that can get exploited. Now we have this danger and Oracle sees itself in front of a big problem which has many faces.

On one side, they paid 1 billion USD on Java with the hope to “run everywhere”.
Now, because they run everywhere, and they run so many versions, they are faced with the challenge to invest more and more on older versions of Java. So, my guess for this is, that they not only aren’t making any money with Java, they are even forced to pay a lot to fix these security issues.

Another side of the problem is the fact that they have so much legacy code in Java that not many of the left developers are able to understand. So, even if they would like to fix the problems, it takes a while until the existing developers are able to understand the problems, mitigate the risks and fix the problems.

The good news

I was very happy to see the security initiative of Oracle called “Software Security Assurance”  http://www.oracle.com/us/support/assurance/overview/index.html.
This means that they are trying… My personal opinion is that it takes more to overcome those problems.

Now what?

If I were Oracle, I would not invest anymore in Java in the way they are doing it now, I would make the software open source.
Making it open source would create an entirely new ecosystem with companies that can take care of the legacy Java versions like Java older than v6.
 


© Copyright 2013 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca

Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since year 2000 in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is an independent IT Security Consultant focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close