JAX London 2014: A retrospective
Security black holes

Op-Ed: Oracle is letting the side down for desktop users

ElliotBentley
lock.11

With accusations that Oracle ignored warnings of the 0day exploit months ago, are the Java stewards doing enough to keep SE users safe?

“Disable Java NOW,” screamed a headline on UK tech publication The Register. “Please, for the love of your computer disable Java on your browser,” a security expert was quoted saying on Ars Technica.

We can imagine better publicity for the platform. When Java is being described as less secure than Flash or Acrobat, you’ve got a serious image problem brewing.

Tuesday’s zero-day exploit only affects SE users running 1.7, and – at least for now – only on Windows, but it’s far from the first time Java has been in the news for security holes. Among them is Flashback, the worst piece of malware ever seen on OS X, used an exploit in Java that had failed to be patched in the Mac version.

Zero-day exploits will always be found in any platform or system, no matter how ‘secure’ it is. The trick is to react as quickly – or faster than – anyone with nasty intentions. Unfortunately, with Java’s four-month security patch release schedule, this zero-day exploit won’t be patched for another two months.

If that wasn’t bad enough, Java SE has yet to get silent updates, as initially popularised by Chrome and since adopted by Firefox and even Flash Player. On Windows, Java still requires the user to respond to an annoying pop-up alert and then bother to go through a whole install wizard each time. We haven’t seen any adoption stats, but we doubt the majority of users are running the latest, most secure versions.

Silent updates may be somewhat divisive, but perhaps they’re necessary when it comes to security issues like this. And, after all, power users and developers aware of the differences between versions can choose to manually update instead.

Of course, that seems like a moot point in the context of accusations that Oracle have known about these vulnerabilities for months. The press went from bad to worse today, as the same security firm claimed that they had reported 29 different security flaws since April – but only three of these were fixed by the June patch.

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” a member of the firm told CIO. Oracle declined to provide a comment to JAXenter on any of the accusations.

The importance of Java in the browser may be diminishing rapidly, but it’s still part of the brand. If end users feel they can’t place their trust in Java, how long until this uncertainty spreads to the enterprise world?

If Java truly is “one platform”, that platform needs to be equally secure everywhere.

Photo by m thierry.

Author
Comments
comments powered by Disqus