Risk
6/3/2013
10:23 AM
50%
50%

Oracle Promises Enterprise Java Security Tweaks

Critics say Oracle hasn't done enough to address ongoing security and code quality problems in the Java browser plug-in.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Java security memo to enterprise IT managers: Better distributed client control capabilities, locked down Java servers and certificate-based controls are coming.

Those three upcoming Java security changes were outlined in "Maintaining the security-worthiness of Java is Oracle's priority," a Thursday blog post from Nandini Ramani, who heads Oracle's Java software development team and is responsible for Java security.

Already, Ramani said Oracle's Java developers have been practicing better secure development practices, including using more automated security testing tools, using better source code analysis tools, as well as hammering code with homegrown analysis tools designed to eliminate vulnerabilities that might be targeted using code-fuzzing techniques. She also noted that Oracle has refocused resources to help release Java security updates more quickly.

Veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based Security Explorations, confirmed via email that Oracle has been responding to bug reports in just days -- instead of the weeks it used to take. Gowdiak also rated Oracle's Java patching speed as "slightly improved," saying that after Oracle receives a vulnerability report, it's been issuing a fix about two months later.

[ Is Twitter's new security scheme a case where the treatment is as bad as the disease? Twitter's Two-Factor Authentication: 5 Reasons To Avoid. ]

Going forward, Oracle's Ramani promised further Java security improvements, starting with better controls for managing Java clients in the enterprise. "Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization," she said. For example, IT administrators will be able to restrict Java clients to only execute Java applications located on designated servers, which would make it more difficult for attackers to make PCs execute malicious Java applications located on remote servers.

Server-based Java will also get more locked down. Already, Oracle in April 2013 released an all-new Server Java Runtime Environment (Server JRE), which was a Java distribution designed "to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors," according to Ramani. Going forward, expect Oracle to refine Server JRE, "including the removal of certain libraries typically unnecessary for server operation," she said.

But Ramani said that tweaking Java 7 in this manner "would violate current Java specifications," meaning related changes won't happen until Oracle releases Java 8, which was originally set for September 2013, but has been delayed in the wake of Oracle now taking more time to fix Java 7 flaws.

The final previewed change concerns Java applications (aka JAR files) signed with digital certificates, which Oracle had been urging developers to do. Then, as of Java 7 update 21, released in April 2013, the Java client began prohibiting any unsigned application from automatically executing, and warned users to beware allowing the application to run. To date, however, that system has relied on a static list of known-bad certificates and applications -- a restriction that Ramani said resulted from performance concerns. Soon, however, Oracle will introduce "a dynamic blacklisting mechanism including daily updates for both blacklisted JAR files and certificates," she said.

But Ramani didn't address criticism of the Java 7 warning system on information security and usability grounds. On the security front, notably, "obtaining a code-signing certificate has not been a barrier for malware in the past and there is little chance it will become one in the future," Metasploit creator HD Moore told Threatpost.

On the usability front, meanwhile, the warning system's success is predicated on end users taking the time to read, understand -- and care -- about the new Java warning messages. As Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in April: "These dialogs end up asking the very questions that you might reasonably expect Java to answer."

Furthermore, Gowdiak at Security Explorations said that, with the exception of the new Local Security Policy features, Ramani's preview of upcoming improvements failed to address ongoing Java browser plug-in security shortcomings. "Seeing yet another Oracle VP speaking out about Java security only confirms our fears that the company prefers to hide a more systemic problem behind various security prompts and policies than to address it at the core," said Gowdiak via email.

"The core issue is about [the] poor quality and security of Oracle's code," he said. "We will get impressed if, and only if, Oracle makes it harder to break [the] Java security model. From our point of view the company hasn't made much [of a move] in that direction."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
6/4/2013 | 12:44:44 AM
re: Oracle Promises Enterprise Java Security Tweaks
Good moves by Oracle on Java security, late in coming.Charlie Babcock, InformationWeek editor at large.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?