Oracle's Java security improvements don't quite satisfy
Changes welcomed, but one expert said he'd like to see sandbox technology in Java like that used in Adobe Reader and Google Chrome
By Antone Gonsalves
May 31, 2013 — CSO — Oracle's plans to bolster Java security were welcomed by security experts who nevertheless wanted to see more done to lockdown one of hackers' favorite targets.
The Java steward released on Thursday its priorities for the application platform. The changes on tap included automated checking of the validity of signed certificates, stopping unsigned applets from being executed by default and adding centralized management options. The latter included whitelisting of applets in enterprise environments.
The upcoming changes, as well as other security efforts outlined in Oracle's Software Security Assurance Blog, were categorized on Friday by security experts as necessary improvements that were far from definitive.
"No one step Oracle is taking stands out as a silver bullet that will cure Java security issues," said Paul Henry, a security and forensic analyst with Lumension. "That being said, each with one exception is a step in the right direction."
That exception was Oracle's decision to release Java patches on a quarterly basis, although the company said it would make exceptions for highly critical zero-day vulnerabilities. Given the number of flaws Oracle is patching -- 97 so far this year -- a quarterly release is too much of a burden for corporate security pros, Henry said.
"With the patch load we have seen historically, it may be better and faster to adopt a monthly cycle as Microsoft has done for years," he said.
HD Moore, chief research officer for Rapid7, said he believed the changes in the handling of applets was the most important piece of Oracle's announcement. In the past, signed applets could run outside of the Java sandbox. Oracle plans to no longer make that possible.
"Oracle is changing this model so that signing an applet no longer confers sandbox escape privileges," Moore said. "This is a good thing for security."
However, Moore wanted to see more improvements related to the Java sandbox, such as adoption of the more secure technology used in Adobe Reader and Google Chrome.
"A malicious applet with a valid signature can still abuse JRE (Java Runtime Environment) security flaws to escape the sandbox and compromise the system," Moore said.
Andrew Storms, director of IT and security operations for Tripwire, said a change he liked was splitting the Java distribution in two, one for the client computer and browser and the other for the server, where corporations run their Java-based business applications.
"It's a smart move to differentiate the two parts of Java, because that has always been pretty confusing for all end users," Storms said.
Oracle, which acquired Java with the purchase of Sun Microsystems in 2010, has been criticized for sometime by security pros for moving too slowly to stop Java exploits.
The spotlight was turned on the problem in January when a previously unknown flaw actively exploited by cybercriminals prompted the Department of Homeland Security to advise consumers to disable Java on their PCs. The DHS warning was the same advocated by security experts for quite awhile.
While the security problems mostly involved the Java browser plug-in, the extensive publicity raised concern among Oracle's corporate customers. As a result, Oracle has started to show progress in handling Java security, experts say.
Read more about application security in CSOonline's Application Security section.