Java’s Problems - Security Experts Give Their Opinions
By David Gilbert | March 18, 2013 10:02 PM EST
Security experts give their opinion on the problems Oracle is facing with Java what the future holds for the software.
Java was designed by James Gosling at Sun Microsystems in the early 1990s with the specific aim of freeing up computer programmers to "write once, run anywhere." And it worked. Java is currently installed on somewhere around 850 million personal computers around the globe.
However the last three years have not been so good for the platform, with numerous security vulnerabilities being revealed and exploited by everyone from Anonymous hacktivists to cyber-criminals and in state-sponsored cyber-espionage campaigns.
Things have been so bad recently that the Department of Homeland Security in the US publicly warned users to disable Java software completely such was its concern over the security flaws inherent in the software.
Oracle, the company which took over Sun Microsystems and therefore Java in 2010, is struggling to keep Java patched, with new vulnerabilities appearing on a weekly basis the company is simply fire-fighting, trying to patch vulnerabilities as soon as they appear.
When contacted by IBTimes UK, Oracle refused to put up a spokesperson to discuss the Java security problems - pointing us to the company's security blog instead - we decided to ask security experts what their view of Java is and what the future holds for the platform.
David Emm, senior security researcher at Kaspersky Labs pointed out that although Java topped his company's list of vulnerable applications in 2012, this is not because there is anything intrinsically wrong with it.
"Cyber-criminals target applications that are likely to reap rewards for them - in this case installing their code on a vulnerable system. This means targeting an application that is widely-used and often goes unpatched."
Emms says that Java is pervasive, mainly because of the fact that it is installed on systems by default, even where people don't necessarily need it.
"As a result, if it goes unpatched it becomes a potential threat. It's always good for any company (or individual) to reduce their attack surface; and this includes looking at what applications are installed and reviewing what's actually needed. By leaving the platform unpatched, it opens up a space for cybercriminals to easily access the system."
However, simply turning off features is never an ideal answer to problems such as security: "We might as well suggest not switching on a computer to stay safe," Emm says.
"New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to disable, in the long term this does no good for the industry. We need to be looking at better ways to defend our systems and data."
Looking at what Oracle can do to address the problem of Java, Emm says that while applying updates is important, you can only aply them when they are available.
"Currently, Java updates are on-demand, rather than being applied automatically, meaning many users can easily ignore them. Also, if updates were issued more frequently, this would reduce the 'window of vulnerability' available to cyber-criminals."
Andrew Storms, director of security operations, nCircle believes that Java is an easy target for those looking to make a lot of money from exposing security vulnerabilities:
"Java is proving to be the gift that keeps on giving for attackers. Given the value of a zero-day on a product as ubiquitous as Java, we're likely to see a lot more targeted attacks against major corporations and government entities. As soon as Oracle fixes one bug another is disclosed.
Conversely, Java is a real headache for those looking to protect users and sensitive and highly valuable data.
"For IT security teams, Java is proving to be a never-ending source of pain. There are no good tools to control desktop configurations and it's used in a lot of business critical applications. The bad news with Java just keeps getting worse and there is no end in sight."
Storms' colleague, Lamar Bailey, director of security research and development at nCircle believes Oracle is simply fire-fighting and as one problem is solved, another one quickly appears in its place.
"It's good to see Oracle responding faster to critical vulnerabilities, but its way past time for them to do a deeper dive on Java's security issues. I've always thought Oracle did a good job of securing their products, but the recent rash of Java vulnerabilities is causing me to lose faith. I worry that serious security problems may be found in their other products."
Bailey is hoping Oracle has dedicated enough resources to solving the current problems, but until such time as that happens, all users can do is keep updated:
"I hope Oracle has already assigned a team of their best security engineers to proactively squash any of the remaining Java security issues, but until then users will be updating Java as often as they update AV signatures."
Sean Sullivan, security advisor at F-Secure says the rash of Java vulnerabilities being uncovered at the moment is simply as a result of more demand.
"There is a bigger and bigger demand [for Java vulnerabilities] not just from crimeware but other sources, so in the short term the increased demand could really see the spinning-off of vulnerabilities that get exploited in the crimeware arena."
In the long term Sullivan believes that the platform could gain some "strength forged through fire" however he adds "there is some fire to go through yet."
While Apple is marginalising everything but the current version of Java on Mac OS in order to limit exposure to its users, Sullivan believes the same cannot be said for Windows:
"It is not going to be easy to live without Java on the Windows platform for quite some time."
When asked if Oracle should simply get rid of Java altogether, Sullivan says: "I think the market will take care of that actually. I think that the security vulnerabilities that exist are going to drive IT managers [to look elsewhere]."
To report problems or to leave feedback about this article, e-mail:
To contact the editor, e-mail: