Security experts on Java: Fixing zero-day exploit could take 'two years'

Security experts on Java: Fixing zero-day exploit could take 'two years'

Summary: Amid growing concern over Java's security, Oracle released an emergency fix over the weekend. However, security professionals say that this measure doesn't go far enough.


Oracle, distributor of Sun's Java software, has not had the best weekend.

java fix not good enough security exploits research oracle update

First came the discovery of chinks in the computer language's armor last week, after researcher "kafeine" pointed out a number of websites that were using a zero-day security vulnerability within Java 7 Update 10, which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.

The problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend. However, security experts have warned that the changes do not go far enough.

Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.

"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.

However, it is not only the general public which needs to sit up and take note. When it comes down to businesses, a number of security firms are also recommending immediate action to disable the software. For the average person, the possibility of identity theft or malware is horrendous, but it could cost firms far more over the long term. 

Speaking to the news agency, chief security officer of business security company Rapid7 HD Moore estimated that it could take up to two years for Oracle to fix the flaws found in the version of Java used to browse the Internet -- not taking into consideration any further exploits that are developed within this timeframe. 

It seems like something of a lost cause, as he advised:

"The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don't really need Java on their desktop."

Due to the widespread use of Java software, usually found as a plug-in on Internet browsers including Internet Explorer and Firefox, the security flaw is believed to have the potential to place over 850 million PCs at risk worldwide. It has not only been the concern of security experts, but the U.S. Department of Homeland Security has also advised that PC owners immediately disable and stop using the software. Apple has also taken steps to disable the OS X plugin which runs Java on some Macs, as well as updating the anti-malware definitions list XProtect.

The DHS' Computer Emergency Readiness Team (CERT) commented:

"We are currently unaware of a practical solution to this problem. This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."

Not sure how to disable Java? We've created a step-by-step guide for you.

Related: Java allows 'open hunting season' for hackers, experts find | How to disable Java in your browser on Windows, Mac | Java security fix coming 'shortly'; Up to 850m machines at risk | Homeland Security warns to disable Java amid zero-day flaw

Topics: Security, Oracle, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not strictly true...

    "Folks don't really need Java on their desktop."

    There are a lot of portals, especially B2B portals, that require Java. There are also a number of games that are written in Java; for example Minecraft.
    • Minecraft!

      Almost forgot about that, there goes the idea of uninstalling. Maybe run MC in a VM.
      • I thought open source is secure

        What happens to all the beautiful promises of "open", "many eyes reviewing" and so on?
        • Java is not open source

          It is a propriertary product from Oracle.
          • The Sun never sets?

            And when it was a Sun "product", it was "proprietary" too? Do you know the meaning of "open source" and "proprietary"? Or is that just your a$$ talking?
            Johnny Bryla
          • The Sun never sets?

            @Johnny Bryla: "when it was a Sun "product", it was "proprietary" too?"

            There is proprietary and then there is proprietary: The devil is in the details. The relationship between developers and the host company is critical.

            See the fate of Open Office as a perfect example.
          • Yup, proprietary

            Because we are talking about the JRE, not the language. OpenJDK is another Java implementation that IS fully free.
          • You were right up until version 7.

            They finally eliminated the bits of unfree source.
        • I thought open source is secure

          > "What happens to all the beautiful promises of "open", "many eyes reviewing" and so on?"

          That was precisely the reason the problem was discovered.
        • If you use Open Source, probably...

          use SELINUX to avoid rogue execution of programs will suffice. But if you're aiming at critisism, and probably using Windows, well, how many things YOU don't know are right now affecting your computer, at least OS contribuitors and community communicate and have the power to DO something, now only being left in the dark until someone calls, the NEXT security patch a full new OS version. Keep being creative, and READ.
        • Apache left before java 7 was developed

          and apache did most of the work in previous versions.
          And reason for apache leaving was that oracle was basically not listening to anyone.
        • Language vrs JVM

          Ultimately the problem lies withing the JVM itself and not the language. As far as I know the JVM code is not open source, and never has been.
          Jared Beekman
        • beautiful promises of "open", "many eyes reviewing" and so on?

          AFAIK that's never been the case and I thiink it's pretty clear that "many eyes" is a dismal failure simply because it doesn't happen. Most of them aren't up to date on good securty and besdes a lot of others don't look for such things.

          I'm finding "open source" to be fading away, sort of, or there would be, for instance, a better replacement for PaintShop Pro than Gimp! Open Office and LibreOffice are decent, but not particularly going anywhere anymore. New drivers are scarce as hen's teeth, and so on.

          Relax, that's just my opinion.
        • Not applicable here

          This is a bug in Oracle's Java Runtime Enviroment which they have exclusive control over when it comes to the development. Therefore nobody else can fix it.

          As Java as language is open, we have other JRE:s such as OpenJDK. Right there is what you implied didn't exist.
      • You Can Run Minecraft as an Application

        You don't need to enable Java in your browser to run Minecraft. You can download it and run it as an application. There is nothing more insecure about that than running any other application.

        The security holes related to Java are all about its supposed sandboxing capabilities. That is, the security holes are related to running unknown/untrusted code safely, which is typically only done within a browser (apps you install on your computer should be trusted).
    • Uninstall Java NOW if you havent done it already.

      You'll find that almost all the sites that still "required" it a few years ago no longer do. They have been rewritten and will send you perfectly capable non java versions. I uninstalled java from all home, work, family, friends, machines about 5 years ago. No one has missed it. Not for banking, travel, etc. or anything else. ITS TRUE, YOU DONT NEED IT ON YOUR PERSONAL DESKTOP. If there's any site you come across that still uses it STOP USING that site and move to a competitor right away. You should have switched years ago, it's past time to give up on them. They obviously don't care about your security. Stop supporting companies that suck that way.
      Johnny Vegas
      • Talk to the Banks

        Most banking sites and brokerage trading sites use java. In fact, java is very popular in the corporate world. It would be easier for Oracle to fix java than for half the corporate world to fix their websites using java.
      • Why not uninstall Windows too, while you're at it?

        Windows is full of security holes, too, and the arguments regarding it being necessary on a computer are dubious. Use Linux instead.
        • LOL

          At this point in time Windows is no less safe than any other popular OS.
          • Sorry, its obviously not

            ... and no amount of repetition in these comments will make it so.