Oracle's recent problems with Java vulnerabilities will not have escaped your notice, and inevitably, people have asked whether Java is redeemable, or simply too difficult to secure.
Well, all software is inherently insecure because all software can be compromised somewhere in the chain of process from initial coding/coding maintenance to execution in the real world. When Stephen Cobb asserted that "Now is the time to disable Java in your web browser, or even remove it from your system if that is practical," a highly relevant comment was posted subsequently:
"...any popular platform will have same issue, someone will break it at some time, should you say 'let's disable Windows' or 'let's not use OSX"?"
But many people don't need Java, whereas there's not much you can do without an operating system. And obviously, permanently disabling Java wasn't the only option, even before Oracle came up with a patch (though it sounds as if the company may still need to do some re-engineering on the patch). There was a third-party patch before Oracle released its own, though third-party patches are problematic in themselves, especially in a corporate context, because a company using even a trusted 3rd-party patch is likely to be exposed to liability-related risks, especially if it goes wrong for some reason. And there was always the option of disabling Java just till an official patch was available.
The question is, should people trust Oracle to pursue 'due diligence' in finding and patching vulnerabilities? For a while, the answer was an unequivocal no - for some of us, at least - because the company was apparently not taking seriously the potential of breaches it's alleged to have known about since April. Today, the answer might be different. In releasing its patch several weeks out-of-cycle, Oracle may have been reacting to criticism and negative recommendations rather than doing the right thing for the right reason, but the security/updating protocols of a lot of other big names have similar origins.
So maybe the question really breaks down into two questions.
- Do you trust Oracle to do better from now on?
- Do you need Java anyway? Or, more to the point, do you need applications or services that need you to enable it?
If enough people answer no to the first, some of those apps and services will probably reconsider their dependence on an unpopular service, and then Oracle will really have a problem.
But as Kevin Townsend suggests, there's a problem that affects all of us, and while it's not a new problem, its resurgence in this context is very much of Oracle's making. Full disclosure or responsible disclosure? The security industry tends to be uncomfortable with the idea of the whole world getting to know the details of how to break an application before the vendor has had a chance to fix it. But by prioritising its patch cycle over the need to address a vulnerability already known to have been exploited, Oracle has given more ammunition to those who believe that major companies have to be frightened into taking prompt - if inconvenient - action.
Responsible disclosure demands responsible (and responsive) remediation.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow