Oracle's Java security update lacking, experts say

Oracle's latest update of the Java Development Kit fails to go far enough in fixing the security-troubled platform, bringing only marginal improvements instead, experts say.

Among the improvements in Java SE Development Kit 7, Update 10 (JDK 7u10) is the ability to use the control panel to prevent Java applications from running in browsers. Vulnerabilities in Java are a major target for cybercriminals hoping to infect computers with malware.

That's because hackers know many people do not keep the Java plug-in for browsers up to date, leaving old flaws open to exploitation. This has resulted in a high success rate for attackers. In 2011, an exploit integrated into the Blackhole toolkit, a hacker favorite, had more than an 80 percent success rate, according to HP's security research division.

Other improvements in JDK 7u10 include using the control panel to choose from four levels of security for unsigned applets, Java Web Start applications and embedded JavaFX applications that run in a browser. In addition, Oracle has added a dialogue box that will warn people when the Java plug-in needs to be updated to prevent exploits.

While welcoming the changes, experts said it is only a start. "New features notwithstanding, Oracle still has a long way to go to improve security," said Andrew Storms, director of security operations at nCircle.

Because consumers are not bothering to update Java now, they are unlikely to take the time to learn how to use the control panel, experts say. In addition, Storms points out that large businesses with a full-time IT security staff will only find the new settings help if they can be centrally managed from Microsoft Active Directory or other directory servers.

"Without this access, the new settings will essentially be useless to enterprise IT teams," Storms said.

[Bill Brenner in Salted Hash:If we disable Java, what replaces it?]

More important improvements needed for Java is for Oracle to perform "fuzz" testing on the platform's codebase, said Paul A. Henry, security and forensic analyst an Lumension. Fuzzing is a software testing technique for finding coding errors and security holes.

Wolfgang Kandek, chief technology officer for Qualys, suggested Oracle add a URL blacklisting/whitelisting feature that IT administrators could use to limit what Java applets can run in the browser. Hackers use the mini-programs in order exploit flaws.

Oracle also needs to release patches faster, particularly when a previously unknown vulnerability is discovered, said HD Moore, chief security officer for Rapid7. Oracle releases patches on a quarterly basis, while Microsoft and Adobe release theirs monthly.

"Oracle's quarterly patch cycle is at odds with other makers of high-risk browser add-ons, such as Adobe," Moore told CSO Online.

Storms agreed that Oracle was slow in fixing holes and added that the vendor needs to provide the security industry with more details on vulnerabilities and patches. "Oracle has done a lousy job addressing Java security throughout 2012 and there's no reason to expect they will change their approach in 2013," he said.

Oracle became Java's steward in 2010 with the acquisition of Sun Microsystems.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityData Protection | Application SecurityAccess control and authenticationjavasoftwaredata protectionOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts