Wed, 16 Jan 2013 23:02:11 +0000
It seems that Oracle has seriously botched Java security. But who really believes that, as H.D. Moore of Rapid7 claims, it could take them two years to solve all of the problems?
The recent Java bugs have been known for some time, though perhaps not by the general public. Weeks ago, the Firefox browser started warning users to disable the Java plugin. It's not unusual for developers to be warned before a security breach is made public. They try to close security holes before more people know about them and can exploit them, although since the Java browser plugin isn't Open Source - it's a proprietary product of Oracle - Firefox couldn't do anything this time but suggest that you remove it.
One of the problems is the monoculture nature of Java, which isn't really necessary. Everybody runs the same version from the same manufacturer right now, so everybody has the same bugs at the same time. "Develop once, run everywhere", the Java motto, doesn't also include "always buy from Oracle" as much as they might wish it did. There are a number of Java environments from entities other than Oracle: the one called "Dalvik" produced by Google that operates Android phones (safely, as far as we're aware), other versions produced by Open Source projects, etc., and there should be serious effort devoted to making these capable of working in the browser context, so that we won't all be vulnerable to the same bugs.
But Oracle has made life difficult for the outside sources of Java. They sued Google (unsuccessfully) for cloning Java on Android, and they've made it difficult for Open Source teams to get formal Java certification for their platforms to the extent that the Apache Open Source project walked off of the Java Standards Process some years ago. Oracle's anti-competitive behavior around Java should stop now, for the good of the customer and the survival of the product.
The problems revealed so far are with the Java secuity model. They permit what's called a "privilege escalation". In this case, a program that isn't allowed to modify your files can gain the privilege of doing so without your permission.
Is Oracle equipped to solve these problems? It's not obvious to outsiders how much of the Java development team has survived since Oracle's acquisition of Sun Microsystems, Java's creator. If they've lost or laid off a significant amount of the developer team, Oracle will need to scramble to fill those seats with experienced people now.
But it is unlikely that, as claimed by H.D. Moore of Rapid7, Oracle would take two years to solve all remaining problems. Two months sounds more like it. Making sure that everybody's updated their Java program, however, is a separate issue. Vulnerable versions may exist on ill-maintained systems for some time. Firefox will warn you about them (if you allow it to update itself) and other browsers or antivirus programs should do so, but may not today.
It's unprecedented for the Department of Homeland Security to suggest that users simply unplug any software product, even after it's fixed, as they have suggested that users abandon the Java browser plugin. This would be ammunition for a successful lawsuit by Oracle if Oracle hasn't actually, as is implied by DHS statement, completely and thoroughly botched the system's security.
One suggestion to users: turn to Open Source. It gets security exploits, but not of this magnitude and they are fixed and distributed to customers more rapidly than proprietary products. Firefox was obviously on top of this. If the Java browser plugin had been from an Open Source project rather than Oracle, the problem would probably never have gotten this far.