Page 2 of 2
Rapid7's Carey described a hacker strategy called "fuzzing," in which huge chunks of data are continually launched at browsers and other applications in an attempt to cause the application to crash, as a result of a buffer overflow. Once they have successfully caused the crash, they then examined the effects to gain a better understanding of the vulnerability, which at that point becomes a new zero-day threat. "They've got systems that do this all day long," he said. "This is a nonstop effort to break stuff."
Carey further explained that the development of security updates requires extensive quality assurance across multiple platforms to make sure that the security fix does its job without adversely impacting the application. "Then, even if it works on one platform, it might break the other platform," he said. "It's a really tough situation."
Nonetheless, Carey recommends that Oracle increase the cadence on their releases, as opposed to the current interval of approximately four months. Microsoft, for example, issues patches on a monthly basis, though it is difficult to know how long those patches are in the pipeline before they are deployed.
"The Java browser plug-in is not needed by a lot of people," he added. And, that's the problem right there, people using that plug-in who don't really need it. Sometimes the Java install will add the plug-in for the browser, but you have to go in and disable it. Most Java applications are desktop applications that businesses use. But, it's very rare that people will download and run applets on their computer in most cases. And that's what the plug-in is for."
Disabling the plug-in is viewed as a "Draconian approach" by Gartner security analyst Lawrence Pingree. "The main thing is that they need to respond promptly when something is happening out in the wild," he said. "But delays happen for a variety of reasons. If there's not enough information, they have to re-create the particular scenario in which the vulnerability exists. It sometimes takes a team of people to figure out how a given vulnerability can be exploited. It's a difficult thing to do in a finite time frame if you don't have all the information at hand."
Whitelisting at the firewall ranks among the more innovative approaches to securing Java without the necessity of disabling it.
"In the corporate environment, you can configure a firewall to control what Java can talk to, and thereby defend against zero-day drive-bys," explained Chet Wisniewski, senior security advisor at Sophos. "So if you know your company uses GoToMeeting, or uses ADP payroll services, both of which use Java, then you can block [Java] from supporting anything but those two things. But when you find yourself on badguy.ru, you don't want Java loading."
Wisniewski added that it is time to take a new look at how firewalls are used to protect enterprises from both upstream and downstream threats.
"We've been using firewalls for years as if everything from the outside coming in is bad, but we can go out and do anything we want," he said. "And that's really kind of silly. We need to control the outbound traffic because the data is getting stolen on the way out. It's because we're going out to a bad website and pulling back the content."
From the standpoint of channel partners, the benefits of having Java often outweigh the difficulties. "I definitely agree that Java presents an opportunity for attack," said Jim Wallworth, president of Apollo Information Systems in Los Gatos, Calif. "But I also think it is worth keeping. Many of our customers need it, and I haven't heard security complaints from those who do."
Oracle could not be reached for comment.