That’s Billion with a B: Is Java Having an “Outlook” Moment?

September 26, 2012 By Tim O'Brien

I’m a broken record, I know, but every month that goes by we get more and more news that suggests that Java developers (and the companies that support Java) are slow to wake up to these threats.

You remember Outlook, maybe some of you are unlucky enough to still use Outlook, but for Microsoft, Outlook was a multi-year security embarrasment. From 1999 to around 2005 it felt like Outlook was having a security vulnerability every other minute. Back then, there were so many that, in technical circles, Outlook became something of a joke to anyone who valued security. In fact, you could make a compelling argument that Outlook’s multi-year security challenges were the weak point in the armor that provided an opening to Google’s GMail (and once you’ve decoupled from Outlook, why not try that Macbook Pro you’ve been eyeing).

If this trend in Java doesn’t stop – if we don’t stop experiencing billion-user, level 10 CVSS security exploits every other week in Java – all the inertia in the world won’t stop a shift to another language or another platform. Check out this news that just crossed the wire yesterday from Softpedia:

One billion users affected by Java security
sandbox bypass vulnerability, experts say. Researchers from Security Explorations
claimed to identify a flaw that affects all Oracle Java SE versions and the billions of
devices on which the software is currently installed. This bug, codenamed issue 50, was
identified just before the start of Oracle’s JavaOne 2012 conference.
―The impact of
this issue is critical — we were able to successfully exploit it and achieve a complete
Java security sandbox bypass in the environment of Java SE 5, 6 and 7,‖ the CEO of
Security Explorations said. He said the vulnerability can be leveraged by an attacker to
―violate a fundamental security constraint‖ of Java Virtual Machines. The researchers
confirmed Java SE 5 — Update 22, Java SE 6 — Update 35, and Java SE 7 Update 7
running on fully patched Windows 7 32-bit operating systems are susceptible to the
attack. The affected Web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89,
Firefox 15.0.1, and Internet Explorer 9.0.8112.16421. The company provided Oracle
with a complete technical description of the flaw, along with source and binary codes,
and a proof-of-concept that demonstrates the complete security sandbox bypass in Java
SE 5, 6, and 7.”

Don’t get me wrong, Java’s going nowhere. The JVM and language are here to stay, but when I read things like “a proof-of-concept that demonstrates the complete security sandbox bypass in Java SE 5, 6, and 7” in the following security bulletin I have to ask myself what sort of foundation we’re building our systems on? Well it isn’t a sandbox if it can be circumvented, is it?

This reminds me of a piece that Vint Cerf wrote for next month’s Communications of the ACM, in it he writes about the lack of a scientific discipline when it comes to software in “Where’s the Science in Computer Science?”. Here’s a good sample:

“When we write a piece of software, do we have the ability to predict how many mistakes we have made (that is, bugs)? Do we know how long it will take to find and fix them? Do we know how many new bugs our fixes will create? Can we say anything concrete about vulnerability? What about the probability of exploitation? Murphy’s Law suggests that if there is a bug that can be exploited for nefarious purposes, it will be.” He continues later in the piece: “…As a group of professionals devoted to the evolution, understanding, and application of software and hardware to the myriad problems, opportunities, and activities of modern society, we have a responsibility to pursue the science in computer science. We must develop better tools and much deeper understanding of the systems we invent and a far greater ability to make predictions about the behavior of these complex, connected, and interacting systems.”

My impolite translation of Cerf’s wisdom? “You are all a bunch of hacks. You couldn’t model software if your life depended on it. Maybe it’s time to start getting serious.” I’d also like to put forward that it might be time for the people responsible for the JVM to hire someone who can take the time to do it right.

If you want to start “Doing it Right” and paying attention to security start with your dependencies. If you don’t use Sonatype Insight, it’s very likely that you are downloading software components with known vulnerabilities every day. Don’t get owned by some vulnerability that’s been in the wild for months, start using Insight today.

  • masked_cucumber

    What is the scope of the vulnerability we are speaking about ? What is the Java sandbox for ? Preventing people executing code in a deliberate way from malware ? For sure, this is serious : the sandbox is useful, no doubt about it. But let’s be honest : which alternative technology provides a successful solution to this problem ? .NET ? Flash ? Is the Java sandbox a central point in Java security ? In my point of view, we have to think about it but can not consider it crucial : we can not prevent the end users to execute malware if they have chosen to do so. If we go on thinking the user is never responsible of what is done, he will never be.

    • RiccardoC

      That’s not the point… the sandbox is what protects you (or at least it should!) from applets, which are java programs embeddable in web pages, doing nasty stuff on your computer; applets usually start without user confirmation, that’s the problem.
      But you’re right when you say that most alternative runtimes aren’t the solution for this problem; for example Flash has always had a long record of security breaches.
      We can only hope Oracle seriously tackles this issue as soon as possible, and possibly for good, or at least for a couple of years!

  • ole

    The important point about all these bugs is:
    Its all only about client side Java.
    I am a Java developer myself but I haven’t ever used Java on the client side.
    I even don’t have support for Java applets turned on for years.
    So I am not affected by such bugs.
    Java on the server side is still quite save (compared to PHP for example).

    Please remember:
    Other languages like Ruby, Python or PHP don’t even try to create a sandbox and go on the client side.

    • RiccardoC

      Are you sure you’re not affected? Any web page could potentially contain an applet, whether you know (or notice) it or not

  • Dan Howard

    OMG – blog as advert. Credibility = Zero

  • g0rl0k

    BROWSER’s PLUGINS are a risk. Always. It’s true for Flash, Acrobat, Java, etc. All plugins must be disabled by default, and active them only on trusted sites that need them. Java as a platform was never under risk.
    My 2 cts: uninstall Java Browser’s Plugin. Most of people will never need it.

  • Michael

    User your brain before you write a blog post. The problems are solely located in the Java Applet plugin and NOT Java! This makes a huge difference.

    • Robert Jackson

      Actually one of the last infections I got was inside Selenium written in java, used inside the Netbeans IDE I use to write software. If you only knew what you were talking about

  • Robert Jackson

    I am seriously getting tired of all of the Java vulnerabilities. 3 out of the last 3 infections on my computer were caused by java exploits. My computer kept blue screening last night. I am running a boot scan with Avast, it has already found hundreds of infected java files