Oracle puts JAVA users at risk

Posted on January 14, 2013

2



Recently there have been multiple very severe security problems found in Oracle Java.

For additional background there are a range of posts online addressing specific details of the exploits and vulnerabilities:

This is not just another extremely dextrous hacker trick that would be limited in its impact. It is a fundamental failure by Oracle the new owners of JAVA to address root and branch security flaws in JAVA that have led to widespread exploitation.

The worst part of this is Oracle have failed the JAVA community by skirting around the reality of the situation, Quote Java security expert Adam Gowdiak, ‘the update from Oracle leaves unfixed several critical security flaws’.

Due to the severity of this issue and the poor job Oracle does, it is critical that the awareness amongst users is proactively promoted. The recommendation is that appropriate security audit action is taken to protect themselves and their companies.

The advice is to Uninstall JAVA if you don’t have a need for JAVA, and if you are unsure that you need it uninstall it to be safe. If in the future users find it is needed, then at least the latest version can be downloaded and easily installed and hopefully by then the problems resolved so the version of JAVA latterly installed will be more secure.

You can uninstall JAVA from the Windows Control Panel ‘Programs and Features’ (Vista, Windows 7 and 8) or the ‘Add / Remove Programs’ in Windows XP.

If JAVA is perceived to be needed for some reason, firstly check if there is an alternative method of accessing the content. If not and JAVA has to be installed then the advice is to make sure you are running the latest version which can be easily downloaded from JAVA.com this does not guarantee security, in fact the current version IS NOT SECURE. So even running the latest patched version of JAVA, you can have your Web Browser hijacked by visiting a compromised website and you will not even know it.

The understanding is therefore even after updating to the latest version, you and your company are still exposed. To mitigate this disable JAVA web browser support when it is not explicitly required, only enabling it for sites you explicitly trust, then immediately disable Java support again once you are finished. This is a great inconvenience that is not helped by a poor user interface design that make sit less than intuitive for non-technical users. Instead of a simple button users have to exercise a protracted sequence, which often falls foul of human nature and people just don’t bother.

To disable web browser support for Java on a Windows PC do this:

  1. Start – Control Panel – Open the Java icon
  2. Click on the security panel and uncheck the box for “enable Java content in the browser.”
  3. This will disable Java in your web browsers. You can manually re-enable it if you need it on a specific site.

Once Oracle addresses the current security holes in JAVA, it should be safe to re-enable Java support IF you require JAVA. That having been said it would be advisable for organisations to consider alternative technologies to JAVA that are better supported and in today’s modern multi-device world offer greater flexibility. There is very little you cannot do in modern HTML v5 and JavaScript that you can do in JAVA from a website perspective.

The issue is almost at epidemic proportions in JAVA based applications and extensions as it is so poorly patched by users and app developers due to the economic priorities and overhead of managing the poor interoperability of its many versions of the JAVA runtime environment. Since Oracle took on JAVA when they acquired Sun Microsystems they have shown an cavalier attitude with their very slow response to security patches which do not support many of the older versions anymore which are still in wide use. This is thanks to the likes of HP, Dell and Cisco who continue building client management interfaces in JAVA and proliferating this in devices and most frighteningly in their administrative grade tools.

The industry and media gives Microsoft Windows XP a hard time, JAVA is an exponentially worse scale of risk. 

Advertisements