Java Vulnerabilities Underscore Cross-Vendor Complexities Of Secure Code6:56 PM EST Fri. Nov. 30, 2012
The Java browser plug-in has been getting a black eye in recent months from security experts who recommend that it be disabled due to a wide range of security exploits inadvertently enabled by the plug-in. As the volume of attacks continues to grow, a number of people have begun to suggest that, if the plug-in was not specifically necessary, most machines would be better off without it.
Recent Java exploits include a vulnerability in Java JRE 7 Update 9 that enables remote code execution and is currently being sold on the black market for an undisclosed price.
"Java is a major threat vector today," said Paul Henry, security and forensics expert at Lumension. "But we also have to understand why they are such a major threat vector. People have historically done a poor job of patching Java, which is understandable to some extent because when you patch Java, it might affect your application. The bad guys understand this, and therefore they are looking for exploits. If you go back a year ago, they were focusing on Adobe Flash. But, Adobe started patching more frequently and so the attention has turned to Java. We have recommended in the past that you should disable it when you're waiting for patches. But once you get those patches, you can re-enable it."
Despite a relatively lengthy patch cycle, Henry says that Oracle does a relatively good job of pushing-out unscheduled, out-of-band patches when vulnerabilities become publicized and used in the wild. But in many cases, other vendors that use Java within their own products are less diligent in plugging the holes.
"Apple is a perfect example," said Henry. "We had an issue a few months back with three known vulnerabilities for which Oracle pushed out patches. But, Apple only included one of those patches in their updates, leaving people exposed for quite some time."
Henry pointed to Microsoft as an example of a company that has made great improvements in addressing security issues, and he recommended that Apple examine the Microsoft model more closely. "Apple needs to investigate what's been done by Microsoft, but Apple will never want to do anything like Microsoft," he said.
Developing security patches for software is a significant challenge, according to Marcus Carey, security researcher at Rapid7.
"I think it highlights how hard it is to keep software secure, especially when you have to support so many platforms and so many browsers," said Carey. "It doesn't mean that Oracle is doing a horrible job in supporting security for the Java plug-ins. It's just hard to put up software that is secure."
NEXT: A Constant Barrage
Rapid7's Carey described a hacker strategy called "fuzzing," in which huge chunks of data are continually launched at browsers and other applications in an attempt to cause the application to crash, as a result of a buffer overflow. Once they have successfully caused the crash, they then examined the effects to gain a better understanding of the vulnerability, which at that point becomes a new zero-day threat. "They've got systems that do this all day long," he said. "This is a nonstop effort to break stuff."
Carey further explained that the development of security updates requires extensive quality assurance across multiple platforms to make sure that the security fix does its job without adversely impacting the application. "Then, even if it works on one platform, it might break the other platform," he said. "It's a really tough situation."
Nonetheless, Carey recommends that Oracle increase the cadence on their releases, as opposed to the current interval of approximately four months. Microsoft, for example, issues patches on a monthly basis, though it is difficult to know how long those patches are in the pipeline before they are deployed.
"The Java browser plug-in is not needed by a lot of people," he added. And, that's the problem right there, people using that plug-in who don't really need it. Sometimes the Java install will add the plug-in for the browser, but you have to go in and disable it. Most Java applications are desktop applications that businesses use. But, it's very rare that people will download and run applets on their computer in most cases. And that's what the plug-in is for."
Disabling the plug-in is viewed as a "Draconian approach" by Gartner security analyst Lawrence Pingree. "The main thing is that they need to respond promptly when something is happening out in the wild," he said. "But delays happen for a variety of reasons. If there's not enough information, they have to re-create the particular scenario in which the vulnerability exists. It sometimes takes a team of people to figure out how a given vulnerability can be exploited. It's a difficult thing to do in a finite time frame if you don't have all the information at hand."
Whitelisting at the firewall ranks among the more innovative approaches to securing Java without the necessity of disabling it.
"In the corporate environment, you can configure a firewall to control what Java can talk to, and thereby defend against zero-day drive-bys," explained Chet Wisniewski, senior security advisor at Sophos. "So if you know your company uses GoToMeeting, or uses ADP payroll services, both of which use Java, then you can block [Java] from supporting anything but those two things. But when you find yourself on badguy.ru, you don't want Java loading."
Wisniewski added that it is time to take a new look at how firewalls are used to protect enterprises from both upstream and downstream threats.
"We've been using firewalls for years as if everything from the outside coming in is bad, but we can go out and do anything we want," he said. "And that's really kind of silly. We need to control the outbound traffic because the data is getting stolen on the way out. It's because we're going out to a bad website and pulling back the content."
From the standpoint of channel partners, the benefits of having Java often outweigh the difficulties. "I definitely agree that Java presents an opportunity for attack," said Jim Wallworth, president of Apollo Information Systems in Los Gatos, Calif. "But I also think it is worth keeping. Many of our customers need it, and I haven't heard security complaints from those who do."
Oracle could not be reached for comment.
PUBLISHED NOV. 30, 2012