dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1622

mozerd
Light Will Pierce The Darkness
MVM
join:2004-04-23
Nepean, ON

1 recommendation

mozerd

MVM

JAVA: Fixing zero-day exploit could take 'two years'

Security experts on Java: Fixing zero-day exploit could take 'two years'

Oracle, distributor of Sun's Java software, has not had the best weekend.
First came the discovery of chinks in the computer language's armor last week, after researcher "kafeine" pointed out a number of websites that were using a zero-day security vulnerability within Java 7 Update 10, which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.

The problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend. However, security experts have warned that the changes do not go far enough.

Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.


Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

Also from the article:
quote:
...chief security officer of business security company Rapid7 HD Moore estimated that it could take up to two years for Oracle to fix the flaws found in the version of Java used to browse the Internet -- not taking into consideration any further exploits that are developed within this timeframe.

It seems like something of a lost cause, as he advised: "The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."
Somehow, I don't think most users are going to wait around for "up to two years". It may turn out that Sun made a pretty smart sale...

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to mozerd

MVM

to mozerd
Two years pretty much means stick a fork in it and get the fat lady to let flying with that big closing note, but users might end up in a tight spot trying to replace existing java apps and infrastructure which has been built up around those apps, I feel for them.

Blake

spiken
@dsl.net

spiken to mozerd

Anon

to mozerd

but no explanation as to why it's not secure?

Sounds like a weak argument to me...explain what's wrong at least instead of basically saying "nope...not enough...still sucks" :-P

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by spiken :

Sounds like a weak argument to me...explain what's wrong at least instead of basically saying "nope...not enough...still sucks" :-P

Needless to say, inquiring minds certainly would like to know details about whatever constitute the "unfixed several security flaws" that Gowdiak states still exist in Java. I do recall reading one reference just yesterday (though I can't retrace just where, out of the very many articles I read) that he had reported at least one of these unfixed flaws to Oracle a year ago, and that it still exists with no response publicly or privately on Oracle's part. Part of the lack of detail in these researchers' warnings may arise from an unwillingness to publicly publish exploit details and immediately expose millions of users, even if the software maker is lax in fixing them.

In any case, my own observation (which has only increased in intensity over a number of years) is that Java is hopelessly vulnerable to attacks that are unusually impacting, and that as fast as these are blocked, new ones are trotted out. I see nothing to change my mind from the current saga, and it's that (sad) conclusion that's led me to finally abandon Java entirely on all my systems. Its just an ongoing, perpetual risk that I'm not willing to run anymore.