Java security holes need fixing immediately
Oracle has just released another big security update, patching 17 vulnerabilities across various platforms -- except for Apple's Mac OS X. All the holes could be remotely exploited without authentication, which means patches should be applied as a matter of urgency, especially on systems where Microsoft Windows is being run with administrator privileges. However, an alternative is to remove all current and future Java vulnerabilities by uninstalling it. Java has failed as a system for developing web-based applications, and few users are likely to miss it.
Where Windows is being run with a root (administrator) account, the update has the highest CVSS (Common Vulnerability Scoring System) score of 10.0. This falls to 7.5 where users are not administrators, which is commonly the case with Linux and Solaris.
In its web announcement, Oracle said, in bold: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible."
Oracle is in the process of pumping out the update to those who have allowed auto-updates, and I've already installed it where necessary. The only catch is that it may close down all your browser sessions even if you tell it not to. Users can also download Java 6 update 26 manually.
Oracle is not providing security fixes for Apple users, who will have to wait for Apple to provide them. This could leave Mac users vulnerable if any malware writers can be bothered to reverse-engineer the patches and try to exploit them before Apple's update. The Mac's relatively small user base -- there are only 54 million compared with roughly 1,350 million or more PCs -- does not make it a prime target, though it has recently been attacked via social engineering and fake anti-malware.
As Microsoft pointed out in its latest Security Intelligence Report, Java has become a significant target for malware writers. In a previous post, I quoted the report as follows:
"Malware written in Java has existed for many years, but attackers had not focused significant attention on exploiting Java vulnerabilities until somewhat recently. In 3Q10, the number of Java attacks increased to fourteen times the number of attacks recorded in 2Q10, driven mostly by the exploitation of a pair of vulnerabilities in versions of the Sun (now Oracle) JVM, CVE-2008-5353 and CVE-2009-3867. Together, these two vulnerabilities accounted for 85 percent of the Java exploits detected in the second half of 2010."
The question now is whether Java is still worth the security risk, and for most of its 850 million users, it probably is not. I uninstalled it from my Windows XP machines a couple of years ago, following an earlier attack, and have only noticed its absence twice: when downloading a YouTube video (KeepVid needs Java) and when running an ADSL speed test. In both cases, it was reasonably easy to find alternatives.
Today, Chester Wisniewski from Sophos took the same line in his blog post on the issue, saying:
If you haven't already, I recommend testing out your standard OS images without the Java plug-in. Most people aren't using Java these days and it reduces the attack surface for exploits delivered over the internet.
Times have changed since Java was controlled by the relatively altruistic but marginally competent Sun Microsystems, and its stewardship has now passed to Oracle, which is extremely competent at making money. The kind of impact Oracle is having is illustrated in the Java Community Process vote on Java SE 7, which H Open said had "been passed, but not without a chorus of protest from participants in the process. Google's was the only no vote, but IBM, Red Hat, SouJava, London Java Community, Goldman Sachs and Fujitsu all said they were only voting yes on the technical merits of the proposal and did not approve of Oracle's handling of the Java licensing, the expert groups or the transparency of the process."
It's always possible that Oracle will "donate" Java to the Apache Foundation -- which it has proposed with Sun's buggy and failing Open Office suite -- but that was only after LibreOffice forked the code and looked likely to win community support. There could well be some unpleasant battles before Java becomes truly open, if it ever does.