Winter is coming

Should Oracle be doing more for Java 6 users?

Lucy Carey

With more than fifty percent of Java users still employing an unsupported version of the program, security expert Christopher Budd paints a grim scenario for the next year.


It may not be Halloween for another month or so, but a grim blog post from security expert Christopher Budd will send a shiver down the spine of users with desktop Java still installed. As we reported last week, Java’s security issues have become even more complex this year, with a new raft of super-skilled hackers capable of targeting its native layer and exploit system vulnerabilities on an unprecedented level. Unfortunately for Oracle, the bad news has continued, with Budd delivering the grim prediction on September 10 that there’s every reason to believe that the worsened situation is “here to stay”, and likely to get even worse before it gets better.

In a doom laden post on Trend Micro, Budd identified the native layer exploits as emblematic of an increasing sophistication in attacks, and just one sign that things had changed for the worse. The coalescence of this issue with a new wave of  attacks targeting unpatched vulnerabilities in Java 6, a widely-deployed but, as of  February 2013, no-longer supported version of Java, has led the analyst to conclude that the overall ‘threat environment’ for Java has increased significantly.

More than 50% of Java users are still actively employing the program, in spite of the huge risks of having security support, creating an unprecedented situation for Oracle. Java 6 users are effectively now a sitting target, and Budd is in no doubt that new waves of attacks are inevitable as malware developers get busy reverse engineering Java 7 fixes to have their wicked way with the old, unsupported version.

Of course, the simple solution would be to just uninstall Java 6 and upgrade to Java 7 – but, as we’ve seen, that’s not a realistic scenario, or a feasible solution for every user, and whilst there is a premium option where users can pay for extra Java 6 support, that’s simply not a solution for everyone.

Information security consultant Michael Horowitz points out on his Java version testing site that there seems to be a communication failure between Java browser plug-ins and browsers, meaning that it can be difficult to find and catalogue all the versions of Java on a PC. The platform is so ubiquitous that it would be virtually impossible to completely eradicate vulnerable versions – and so means that the line of defence must shift from individual devices to the network as a whole. As Budd reflects, this gives a new and sinister connotation to Sun Microsystems’ marketing slogan “The Network is the computer.”

When support for Windows XP is withdrawn by Microsoft next spring, Budd frets that “a perfect storm of permanently vulnerable systems” will be created, leading him to hypothesise that summer 2014 could be a veritable spree for cyber criminals.

For those unable to jump ship from Java 6, the best they can do is try to mitigate the security issue. Since March, Red Hat has assumed leadership of the OpenJDK 6 community, and Apple has actively updated OS X to automatically disable Java if it hasn’t been used for 35 days. Oracle is highly aware of the issue, and has been enforcing a Microsoft style ‘security push’, but perhaps they would be better served by re-examining their “End of Life” date policy and abandonment of non-premium customers policy, not only as a goodwill gesture towards the millions of users still dependent of Java 6, but to bolster the integrity of Java as a whole.

Inline Feedbacks
View all comments