Oracle, Java and Security

[tweetmeme source=”franscomputerservices” only_single=false]Oracle, Java and Security … oh my!

Java bug exposes users to serious code-execution risk – Researchers disclose because Oracle won’t!

This zero day bug, which is in the Java Web Start (this is automatically added as an ‘extension’ in Firefox – which I always disable) has become a real problem. Here’s a quote from the article regarding the Researchers’ attempt to make Oracle understand the severity of this issue:

Both researchers stressed the ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components that jump-start applications in Internet Explorer, Firefox, and other browsers. Ormandy said he alerted Java handlers in Oracle’s recently-acquired Sun division to the threat but “they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

(bold emphasis in the quote mine)

Merely disabling ActiveX or Firefox plugins isn’t enough because the toolkit is installed separately from Java. That means the only temporary fixes are browser specific for IE and Firefox and involve setting killbits or employing file system access control list features. (More about that here).

Or we could always just uninstall Java entirely until Oracle decides to protect their users.

That is a sad option since Secunia makes use of Java for it’s OSI (Online Software Inspector) which has become a very handy free tool for folks to keep up on the myriad of “Internet-facing” programs, plugins, missing Windows Updates, etc.

And of course, (for animated maps) and NASA/JPL use Java for many online projects. I would think they would want Oracle to rethink their position on this problem!

Plus, this is not just a Microsoft Windows Issue. The article also notes that this could affect Linux.

And from the sound of it, also Apple’s Mac OS; particularly since Apple is slow to upgrade Java on their OS platform, and they haven’t done an update for Java in a while for OS X Tiger at all.

What a mess. This issue with Java vulnerabilities, and how Oracle is handling it, may well provide a backdrop that opens up other concerns about Oracle’s stance on security related to their flagship products … things that maybe Oracle wouldn’t want folks to start thinking about…