Risk
6/3/2013
10:23 AM
Connect Directly
RSS
E-Mail
50%
50%

Oracle Promises Enterprise Java Security Tweaks

Critics say Oracle hasn't done enough to address ongoing security and code quality problems in the Java browser plug-in.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Java security memo to enterprise IT managers: Better distributed client control capabilities, locked down Java servers and certificate-based controls are coming.

Those three upcoming Java security changes were outlined in "Maintaining the security-worthiness of Java is Oracle's priority," a Thursday blog post from Nandini Ramani, who heads Oracle's Java software development team and is responsible for Java security.

Already, Ramani said Oracle's Java developers have been practicing better secure development practices, including using more automated security testing tools, using better source code analysis tools, as well as hammering code with homegrown analysis tools designed to eliminate vulnerabilities that might be targeted using code-fuzzing techniques. She also noted that Oracle has refocused resources to help release Java security updates more quickly.

Veteran Java bug hunter Adam Gowdiak, CEO and founder of Poland-based Security Explorations, confirmed via email that Oracle has been responding to bug reports in just days -- instead of the weeks it used to take. Gowdiak also rated Oracle's Java patching speed as "slightly improved," saying that after Oracle receives a vulnerability report, it's been issuing a fix about two months later.

[ Is Twitter's new security scheme a case where the treatment is as bad as the disease? Twitter's Two-Factor Authentication: 5 Reasons To Avoid. ]

Going forward, Oracle's Ramani promised further Java security improvements, starting with better controls for managing Java clients in the enterprise. "Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization," she said. For example, IT administrators will be able to restrict Java clients to only execute Java applications located on designated servers, which would make it more difficult for attackers to make PCs execute malicious Java applications located on remote servers.

Server-based Java will also get more locked down. Already, Oracle in April 2013 released an all-new Server Java Runtime Environment (Server JRE), which was a Java distribution designed "to reduce attack surface but also to reduce customer confusion when evaluating server exploitation risk factors," according to Ramani. Going forward, expect Oracle to refine Server JRE, "including the removal of certain libraries typically unnecessary for server operation," she said.

But Ramani said that tweaking Java 7 in this manner "would violate current Java specifications," meaning related changes won't happen until Oracle releases Java 8, which was originally set for September 2013, but has been delayed in the wake of Oracle now taking more time to fix Java 7 flaws.

The final previewed change concerns Java applications (aka JAR files) signed with digital certificates, which Oracle had been urging developers to do. Then, as of Java 7 update 21, released in April 2013, the Java client began prohibiting any unsigned application from automatically executing, and warned users to beware allowing the application to run. To date, however, that system has relied on a static list of known-bad certificates and applications -- a restriction that Ramani said resulted from performance concerns. Soon, however, Oracle will introduce "a dynamic blacklisting mechanism including daily updates for both blacklisted JAR files and certificates," she said.

But Ramani didn't address criticism of the Java 7 warning system on information security and usability grounds. On the security front, notably, "obtaining a code-signing certificate has not been a barrier for malware in the past and there is little chance it will become one in the future," Metasploit creator HD Moore told Threatpost.

On the usability front, meanwhile, the warning system's success is predicated on end users taking the time to read, understand -- and care -- about the new Java warning messages. As Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in April: "These dialogs end up asking the very questions that you might reasonably expect Java to answer."

Furthermore, Gowdiak at Security Explorations said that, with the exception of the new Local Security Policy features, Ramani's preview of upcoming improvements failed to address ongoing Java browser plug-in security shortcomings. "Seeing yet another Oracle VP speaking out about Java security only confirms our fears that the company prefers to hide a more systemic problem behind various security prompts and policies than to address it at the core," said Gowdiak via email.

"The core issue is about [the] poor quality and security of Oracle's code," he said. "We will get impressed if, and only if, Oracle makes it harder to break [the] Java security model. From our point of view the company hasn't made much [of a move] in that direction."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
6/4/2013 | 12:44:44 AM
re: Oracle Promises Enterprise Java Security Tweaks
Good moves by Oracle on Java security, late in coming.Charlie Babcock, InformationWeek editor at large.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.