I’m a broken record, I know, but every month that goes by we get more and more news that suggests that Java developers (and the companies that support Java) are slow to wake up to these threats.
You remember Outlook, maybe some of you are unlucky enough to still use Outlook, but for Microsoft, Outlook was a multi-year security embarrasment. From 1999 to around 2005 it felt like Outlook was having a security vulnerability every other minute. Back then, there were so many that, in technical circles, Outlook became something of a joke to anyone who valued security. In fact, you could make a compelling argument that Outlook’s multi-year security challenges were the weak point in the armor that provided an opening to Google’s GMail (and once you’ve decoupled from Outlook, why not try that Macbook Pro you’ve been eyeing).
If this trend in Java doesn’t stop – if we don’t stop experiencing billion-user, level 10 CVSS security exploits every other week in Java – all the inertia in the world won’t stop a shift to another language or another platform. Check out this news that just crossed the wire yesterday from Softpedia:
One billion users affected by Java security
sandbox bypass vulnerability, experts say. Researchers from Security Explorations
claimed to identify a flaw that affects all Oracle Java SE versions and the billions of
devices on which the software is currently installed. This bug, codenamed issue 50, was
identified just before the start of Oracle’s JavaOne 2012 conference. ―The impact of
this issue is critical — we were able to successfully exploit it and achieve a complete
Java security sandbox bypass in the environment of Java SE 5, 6 and 7,‖ the CEO of
Security Explorations said. He said the vulnerability can be leveraged by an attacker to
―violate a fundamental security constraint‖ of Java Virtual Machines. The researchers
confirmed Java SE 5 — Update 22, Java SE 6 — Update 35, and Java SE 7 Update 7
running on fully patched Windows 7 32-bit operating systems are susceptible to the
attack. The affected Web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89,
Firefox 15.0.1, and Internet Explorer 9.0.8112.16421. The company provided Oracle
with a complete technical description of the flaw, along with source and binary codes,
and a proof-of-concept that demonstrates the complete security sandbox bypass in Java
SE 5, 6, and 7.”
Don’t get me wrong, Java’s going nowhere. The JVM and language are here to stay, but when I read things like “a proof-of-concept that demonstrates the complete security sandbox bypass in Java SE 5, 6, and 7” in the following security bulletin I have to ask myself what sort of foundation we’re building our systems on? Well it isn’t a sandbox if it can be circumvented, is it?
This reminds me of a piece that Vint Cerf wrote for next month’s Communications of the ACM, in it he writes about the lack of a scientific discipline when it comes to software in “Where’s the Science in Computer Science?”. Here’s a good sample:
“When we write a piece of software, do we have the ability to predict how many mistakes we have made (that is, bugs)? Do we know how long it will take to find and fix them? Do we know how many new bugs our fixes will create? Can we say anything concrete about vulnerability? What about the probability of exploitation? Murphy’s Law suggests that if there is a bug that can be exploited for nefarious purposes, it will be.” He continues later in the piece: “…As a group of professionals devoted to the evolution, understanding, and application of software and hardware to the myriad problems, opportunities, and activities of modern society, we have a responsibility to pursue the science in computer science. We must develop better tools and much deeper understanding of the systems we invent and a far greater ability to make predictions about the behavior of these complex, connected, and interacting systems.”
My impolite translation of Cerf’s wisdom? “You are all a bunch of hacks. You couldn’t model software if your life depended on it. Maybe it’s time to start getting serious.” I’d also like to put forward that it might be time for the people responsible for the JVM to hire someone who can take the time to do it right.
If you want to start “Doing it Right” and paying attention to security start with your dependencies. If you don’t use Sonatype Insight, it’s very likely that you are downloading software components with known vulnerabilities every day. Don’t get owned by some vulnerability that’s been in the wild for months, start using Insight today.