Oracle's Java security update lacking, experts say

While Java applications can now be prevented from running in browsers, one analyst said the process for applying the settings makes it 'useless'

Oracle's latest update of the Java Development Kit fails to go far enough in fixing the security-troubled platform, bringing only marginal improvements instead, experts say.

Among the improvements in Java SE Development Kit 7, Update 10 (JDK 7u10) is the ability to use the control panel to prevent Java applications from running in browsers. Vulnerabilities in Java are a major target for cybercriminals hoping to infect computers with malware.

That's because hackers know many people do not keep the Java plug-in for browsers up to date, leaving old flaws open to exploitation. This has resulted in a high success rate for attackers. In 2011, an exploit integrated into the Blackhole toolkit, a hacker favorite, had more than an 80 percent success rate, according to HP's security research division

Other improvements in JDK 7u10 include using the control panel to choose from four levels of security for unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. In addition, Oracle has added a dialogue box that will warn people when the Java plug-in needs to be updated to prevent exploits.

While welcoming the changes, experts said it is only a start. "New features notwithstanding, Oracle still has a long way to go to improve security," said Andrew Storms, director of security operations at nCircle.

Because consumers are not bothering to update Java now, they are unlikely to take the time to learn how to use the control panel, experts say. In addition, Storms points out that large businesses with a full-time IT security staff will only find the new settings help if they can be centrally managed from Microsoft Active Directory or other directory servers.

"Without this access, the new settings will essentially be useless to enterprise IT teams," Storms said.

[Bill Brenner in Salted Hash: If we disable Java, what replaces it?]

More important improvements needed for Java is for Oracle to perform "fuzz" testing on the platform's codebase, said Paul A. Henry, security and forensic analyst an Lumension. Fuzzing is a software testing technique for finding coding errors and security holes.

Wolfgang Kandek, chief technology officer for Qualys, suggested Oracle add a URL blacklisting/whitelisting feature that IT administrators could use to limit what Java applets can run in the browser. Hackers use the mini-programs in order exploit flaws.

Oracle also needs to release patches faster, particularly when a previously unknown vulnerability is discovered, said HD Moore, chief security officer for Rapid7. Oracle releases patches on a quarterly basis, while Microsoft and Adobe release theirs monthly. 

"Oracle's quarterly patch cycle is at odds with other makers of high-risk browser add-ons, such as Adobe," Moore told CSO Online.

Storms agreed that Oracle was slow in fixing holes and added that the vendor needs to provide the security industry with more details on vulnerabilities and patches. "Oracle has done a lousy job addressing Java security throughout 2012 and there's no reason to expect they will change their approach in 2013," he said.

Oracle became Java's steward in 2010 with the acquisition of Sun Microsystems.

Join the discussion
Be the first to comment on this article. Our Commenting Policies