Java security holes need fixing immediately

Java security holes need fixing immediately

Summary: Oracle has just released another big security update, patching 17 vulnerabilities across various platforms -- except for Apple's Mac OS X. All the holes could be remotely exploited without authentication, which means patches should be applied as a matter of urgency, especially on systems where Microsoft Windows is being run with administrator privileges.

SHARE:
TOPICS: Tech Industry
7

Oracle has just released another big security update, patching 17 vulnerabilities across various platforms -- except for Apple's Mac OS X. All the holes could be remotely exploited without authentication, which means patches should be applied as a matter of urgency, especially on systems where Microsoft Windows is being run with administrator privileges. However, an alternative is to remove all current and future Java vulnerabilities by uninstalling it. Java has failed as a system for developing web-based applications, and few users are likely to miss it.

Where Windows is being run with a root (administrator) account, the update has the highest CVSS (Common Vulnerability Scoring System) score of 10.0. This falls to 7.5 where users are not administrators, which is commonly the case with Linux and Solaris.

In its web announcement, Oracle said, in bold: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible."

Oracle is in the process of pumping out the update to those who have allowed auto-updates, and I've already installed it where necessary. The only catch is that it may close down all your browser sessions even if you tell it not to. Users can also download Java 6 update 26 manually.

Oracle is not providing security fixes for Apple users, who will have to wait for Apple to provide them. This could leave Mac users vulnerable if any malware writers can be bothered to reverse-engineer the patches and try to exploit them before Apple's update. The Mac's relatively small user base -- there are only 54 million compared with roughly 1,350 million or more PCs -- does not make it a prime target, though it has recently been attacked via social engineering and fake anti-malware.

As Microsoft pointed out in its latest Security Intelligence Report, Java has become a significant target for malware writers. In a previous post, I quoted the report as follows:

"Malware written in Java has existed for many years, but attackers had not focused significant attention on exploiting Java vulnerabilities until somewhat recently. In 3Q10, the number of Java attacks increased to fourteen times the number of attacks recorded in 2Q10, driven mostly by the exploitation of a pair of vulnerabilities in versions of the Sun (now Oracle) JVM, CVE-2008-5353 and CVE-2009-3867. Together, these two vulnerabilities accounted for 85 percent of the Java exploits detected in the second half of 2010."

The question now is whether Java is still worth the security risk, and for most of its 850 million users, it probably is not. I uninstalled it from my Windows XP machines a couple of years ago, following an earlier attack, and have only noticed its absence twice: when downloading a YouTube video (KeepVid needs Java) and when running an ADSL speed test. In both cases, it was reasonably easy to find alternatives.

Today, Chester Wisniewski from Sophos took the same line in his blog post on the issue, saying:

If you haven't already, I recommend testing out your standard OS images without the Java plug-in. Most people aren't using Java these days and it reduces the attack surface for exploits delivered over the internet.

Times have changed since Java was controlled by the relatively altruistic but marginally competent Sun Microsystems, and its stewardship has now passed to Oracle, which is extremely competent at making money. The kind of impact Oracle is having is illustrated in the Java Community Process vote on Java SE 7, which H Open said had "been passed, but not without a chorus of protest from participants in the process. Google's was the only no vote, but IBM, Red Hat, SouJava, London Java Community, Goldman Sachs and Fujitsu all said they were only voting yes on the technical merits of the proposal and did not approve of Oracle's handling of the Java licensing, the expert groups or the transparency of the process."

It's always possible that Oracle will "donate" Java to the Apache Foundation -- which it has proposed with Sun's buggy and failing Open Office suite -- but that was only after LibreOffice forked the code and looked likely to win community support. There could well be some unpleasant battles before Java becomes truly open, if it ever does.

@jackschofield

Topic: Tech Industry

Jack Schofield

About Jack Schofield

Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first website and, in 2001, its first real blog. When the printed section was dropped after 25 years and a couple of reincarnations, he felt it was a time for a change....

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • "Java has failed as a system for developing web-based applications, and few users are likely to miss it."

    They will if they use Twitter, Jack, according to a support email from them a couple of days ago.
    ronwgraves
  • @ronwgraves

    Really? I missed it, and I'm a bit of a Twitterholic! ;-)

    The website uses JavaScript and CSS etc, and there are plenty of non-Java options if you're writing a Twitter client... And if they are using it somewhere in the back end, I really don't care!
    Jack Schofield
  • Unfortunately Java, Flash, and Adobe Reader are all subject to frequent exploits through a web browser. Java and Flash having the highest number, of course. Oracle has done an awful job of maintaining Java's deployment packages, as we've seen numerous problems (more than when it was at Sun) when trying to deploy and upgrade it with installation errors (on Windows). Flash is also out of control with security updates being released about every 2-3 weeks. It's an IT nightmare, keeping all of these apps up to date. Removing them from PCs is definitely worth considering.
    Chris_Clay
  • @Jack,

    > Java has failed as a system for developing web-based applications,
    > and few users are likely to miss it.

    If you mean Java on the client-side - i.e. applets and even native applications - then I'd have to agree. It's more trouble that it's worth, but then I'd also say the same about .net, Flash and Silverlight too. But Java on the server-side powers many a web page on the internet and also on corporate intranets, so to say that "Java has failed as a system for developing web-based applications" couldn't be further from the truth.
    BrownieBoy-4ea41
  • I found your remarks very confusing until I remembered that lots of people, when they say "web-based applications" mean client-side applications. To me the web is the data on the web, and web-based applications are applications that sit on the server delivering the data; the browser/client is outside the web looking in. Just mentioning it because as a journalist, I'm sure you don't actually want to confuse people.
    Michael Kay
  • @michaelhkay

    > I found your remarks very confusing until I remembered that lots of people,
    > when they say "web-based applications" mean client-side applications

    Yes, absolutely true, and I agree that "web based" might be somewhat confusing, though that seems to me to be common usage. Either way, I'm trying to be clear, not confusing.

    First, the post is SPECIFICLY and EXPLICITY about updating client-side Java, and doesn't refer to server-side Java at all. This must surely be obvious to anybody who reads it, and the people who don't actually read posts before commenting are not my problem.

    Second, the meaning should become transparently clear when I talk of uninstalling Java from "Windows XP machines" and say I have "only noticed its absence twice: when downloading a YouTube video (KeepVid needs Java) and when running an ADSL speed test."

    Frankly, anybody who thinks this refers to server-side Java doesn't have a working brain.
    Jack Schofield
  • @Jack,

    Wouldn't it have been easier to just admit that you made an honest mistake, without insulting your readers?
    BrownieBoy-4ea41