Risk
6/3/2013
10:23 AM
Connect Directly
RSS
E-Mail
50%
50%

Oracle Promises Enterprise Java Security Tweaks

Critics say Oracle hasn't done enough to address ongoing security and code quality problems in the Java browser plug-in.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Java security memo to enterprise IT managers: Better distributed client control capabilities, locked down Java servers and certificate-based controls are coming.

Those three upcoming Java security changes were outlined in "Maintaining the security-worthiness of Java is Oracle's priority," a Thursday blog post from Nandini Ramani, who heads Oracle's Java software development team and is responsible for Java security.

Already, Ramani said Oracle's Java developers have been practicing better secure development practices, including using more automated security testing tools, using better source code analysis tools, as well as hammering code with homegrown analysis tools designed to eliminate vulnerabilities that might be targeted using code-fuzzing techniques. She also noted that Oracle has refocused resources to help release Java security updates more quickly.

Veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based Security Explorations, confirmed via email that Oracle has been responding to bug reports in just days -- instead of the weeks it used to take. Gowdiak also rated Oracle's Java patching speed as "slightly improved," saying that after Oracle receives a vulnerability report, it's been issuing a fix about two months later.

[ Is Twitter's new security scheme a case where the treatment is as bad as the disease? Twitter's Two-Factor Authentication: 5 Reasons To Avoid. ]

Going forward, Oracle's Ramani promised further Java security improvements, starting with better controls for managing Java clients in the enterprise. "Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization," she said. For example, IT administrators will be able to restrict Java clients to only execute Java applications located on designated servers, which would make it more difficult for attackers to make PCs execute malicious Java applications located on remote servers.

Server-based Java will also get more locked down. Already, Oracle in April 2013 released an all-new Server Java Runtime Environment (Server JRE), which was a Java distribution designed "to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors," according to Ramani. Going forward, expect Oracle to refine Server JRE, "including the removal of certain libraries typically unnecessary for server operation," she said.

But Ramani said that tweaking Java 7 in this manner "would violate current Java specifications," meaning related changes won't happen until Oracle releases Java 8, which was originally set for September 2013, but has been delayed in the wake of Oracle now taking more time to fix Java 7 flaws.

The final previewed change concerns Java applications (aka JAR files) signed with digital certificates, which Oracle had been urging developers to do. Then, as of Java 7 update 21, released in April 2013, the Java client began prohibiting any unsigned application from automatically executing, and warned users to beware allowing the application to run. To date, however, that system has relied on a static list of known-bad certificates and applications -- a restriction that Ramani said resulted from performance concerns. Soon, however, Oracle will introduce "a dynamic blacklisting mechanism including daily updates for both blacklisted JAR files and certificates," she said.

But Ramani didn't address criticism of the Java 7 warning system on information security and usability grounds. On the security front, notably, "obtaining a code-signing certificate has not been a barrier for malware in the past and there is little chance it will become one in the future," Metasploit creator HD Moore told Threatpost.

On the usability front, meanwhile, the warning system's success is predicated on end users taking the time to read, understand -- and care -- about the new Java warning messages. As Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in April: "These dialogs end up asking the very questions that you might reasonably expect Java to answer."

Furthermore, Gowdiak at Security Explorations said that, with the exception of the new Local Security Policy features, Ramani's preview of upcoming improvements failed to address ongoing Java browser plug-in security shortcomings. "Seeing yet another Oracle VP speaking out about Java security only confirms our fears that the company prefers to hide a more systemic problem behind various security prompts and policies than to address it at the core," said Gowdiak via email.

"The core issue is about [the] poor quality and security of Oracle's code," he said. "We will get impressed if, and only if, Oracle makes it harder to break [the] Java security model. From our point of view the company hasn't made much [of a move] in that direction."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
6/4/2013 | 12:44:44 AM
re: Oracle Promises Enterprise Java Security Tweaks
Good moves by Oracle on Java security, late in coming.Charlie Babcock, InformationWeek editor at large.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.