Security experts on Java: Fixing zero-day exploit could take 'two years'

  • 15 January 2013
  • 2 replies
  • 3 views

Userlevel 7
Badge +56
Oracle, distributor of Sun's Java software, has not had the best weekend.
http://cdn-static.zdnet.com/i/r/story/70/00/009756/javalogo858669-200x123-200x123.jpg?hash=MQt1BJL0Az&upscale=1
First came the discovery of chinks in the computer language's armor last week, after researcher "kafeine" pointed out a number of websites that were using a zero-day security vulnerability within Java 7 Update 10, which could result in the installation of malware, identity theft or used to rope personal computers in to becoming unauthorized botnets -- which can then be used in denial-of-service attacks against other sites.
The problem was severe enough for the firm to release an emergency patch -- Java 7 Update 11 -- over the weekend. However, security experts have warned that the changes do not go far enough.
Security researcher Adam Gowdiak from Security Explorations has been keeping an eye on the software flaws in Java over the past year. Once Gowdiak analyzed the latest update to Java, he found that the patch still leaves a number of "critical security flaws," according to Reuters. This statement, mirrored by AlienVault Labs' Jaime Blasco who branded Oracle's offering as a "mess," was later reinforced by the firm's recommendation against using the software.
"We don't dare to tell users that it's safe to enable Java again," Gowdiak commented.
However, it is not only the general public which needs to sit up and take note. When it comes down to businesses, a number of security firms are also recommending immediate action to disable the software. For the average person, the possibility of identity theft or malware is horrendous, but it could cost firms far more over the long term. 
Speaking to the news agency, chief security officer of business security company Rapid7 HD Moore estimated that it could take up to two years for Oracle to fix the flaws found in the version of Java used to browse the Internet -- not taking into consideration any further exploits that are developed within this timeframe. 
It seems like something of a lost cause, as he advised:
 
Full Article
 
TH

2 replies

Userlevel 7
Oracle needs to stop the madness. Java will never be trusted again, and probably needs to be completely re-written.
Userlevel 7
Thx TH for the great article ;)
 
I fully agree with all of you that Java is a pain. Problem is that it's widely spread across systems, devices etc. (they have 3 billions of installations) and many companies have built their solutions on Java applets and environment. Having said this, it's sometimes hard to completely give up on Java and in such a case you don't have other chance than to try to minimize risks as much as possible. What really drives me crazy is that many bank houses worldwide are operating their on-line banking systems based on Java what is a mess indeed. My bank not excepting. So even though Java is buggy, vulnerable etc. it probably will stay as long as third party applications will be dependant on Java.

Just my two cents.

Reply