Winter is coming

Should Oracle be doing more for Java 6 users?

Lucy Carey

With more than fifty percent of Java users still employing an unsupported version of the program, security expert Christopher Budd paints a grim scenario for the next year.


It may not be Halloween for another month or so, but a grim blog
post from security expert Christopher Budd will send a shiver down
the spine of users with desktop Java still installed. As we
reported last week, Java’s security issues have become even more
complex this year, with a new raft of super-skilled hackers capable
targeting its native layer and exploit system vulnerabilities on an
unprecedented level
. Unfortunately for Oracle, the bad news has
continued, with Budd delivering the grim prediction on September 10
that there’s every reason to believe that the worsened situation is
“here to stay”, and likely to get even worse before it gets

In a
doom laden post
on Trend Micro, Budd
identified the native layer exploits as emblematic of an increasing
sophistication in attacks, and just one sign that

things had changed for the worse. The
coalescence of this issue with a new wave of  attacks
targeting unpatched vulnerabilities in Java 6, a widely-deployed
as of  February 2013, no-longer
supported version of Java, has led the analyst to conclude that the
overall ‘threat environment’ for Java has increased

More than 50% of Java users are still actively
employing the program, in spite of the huge risks of having
security support, creating an unprecedented situation for Oracle.
Java 6 users are effectively now a sitting target, and Budd is in
no doubt that new waves of attacks are inevitable as malware
developers get busy reverse engineering Java 7 fixes to have their
wicked way with the old, unsupported version.

Of course, the simple solution would be to just
uninstall Java 6 and upgrade to Java 7 – but, as we’ve seen, that’s
not a realistic scenario, or a feasible solution for every user,
and whilst there is a premium option where users can pay for extra
Java 6 support, that’s simply not a solution for everyone.

Information security consultant Michael Horowitz
points out on his
Java version testing site
that there seems to be a communication failure between Java
browser plug-ins and browsers, meaning that it can be difficult to
find and catalogue all the versions of Java on a PC. The platform
is so ubiquitous that it would be virtually impossible to
completely eradicate vulnerable versions – and
means that the line of defence must shift from individual devices
to the network as a whole.
As Budd reflects,
this gives a new and sinister connotation to Sun
Microsystems’ marketing slogan “The Network is the

When support for Windows XP is withdrawn by
Microsoft next spring, Budd frets that “a perfect storm of
permanently vulnerable systems” will be created, leading him to
hypothesise that summer 2014 could be a veritable spree for cyber

For those unable to jump ship from Java 6, the
best they can do is try to mitigate the security issue. Since
March, Red Hat has assumed leadership of the OpenJDK 6 community,
and Apple has actively updated OS X to

automatically disable Java
if it hasn’t been
used for 35 days. Oracle is highly aware of the issue, and has been
enforcing a Microsoft style ‘security push’, but perhaps they would
be better served by re-examining their “End of Life” date policy
and abandonment of non-premium customers

policy, not only as a goodwill gesture towards
the millions of users still dependent of Java 6, but to bolster the
integrity of Java as a whole.

comments powered by Disqus