Category Archives: Java

Java, Patches and updates

Java 6 end-of-life

Leave a comment

Oracle has quietly stopped updating Java 6, sort of. A page on the Java download FAQ site states that updates for Java 6 will no longer be publicly posted, and recommends upgrading to Java 7. Updates for Java 6 will still be available to customers who have support contracts from Oracle.

Switching from Java 6 to Java 7 is going to be a problem for anyone who uses Java-based software that is not yet compatible with Java 7. Large organizations with such Java 6 dependencies will either start paying for support (if they aren’t already), or deal with the consequences of allowing their Java 6 based software to become increasingly vulnerable. Smaller organizations and individuals with Java 6 dependencies who cannot afford to pay for Oracle support may want to consider switching to alternative software.

There’s likely to be a certain amount of backlash against this move. At the very least, if Oracle doesn’t back down from this stance, expect a ‘black market’ in Java 6 updates to start up fairly soon: people with access to the official Java 6 patches will make them available to the public. The main problem with this, besides annoying Oracle, is that nefarious persons are likely to use the need for Java 6 patches as a way to spread malware.

I predict that Oracle will relent; as long as they are still developing updates for Java 6, those updates will end up being publicly available.

Java, Security

Oracle’s response to Java’s ongoing security woes

Leave a comment

A May 30 post on Oracle’s Software Security Assurance blog reviews Oracle’s plans to improve Java’s security.

Step 1 was apparently making sure that Java conforms to Oracle’s software security policies. Without knowing the details, I can only wonder whether the new policies are better or worse than whatever policies were already in place for Java, and whether they are even a good fit for a project like Java. Is it possible that this transition contributed to the recent spate of problems?

Step 2 is to throw more money at Java. Oracle describes this as “increasing investments in Java overall by Oracle”.

Oracle has been working on improving their response time to critical vulnerabilities, which is commendable. They are gradually coming to realize that scheduled releases just don’t cut it for security issues. These days, vulnerability and exploit details propagate almost instantly, and waiting weeks or months for fixes is unacceptable.

Apparently the use of automated security testing tools has been expanded. Presumably from ‘not used consistently or even at all’ to ‘used on a sensible schedule’.

The article goes into a lot of detail about the general security improvements made in recent Java updates. Good stuff, but not news.

On a positive (and actually news-worthy) note, Oracle is working on further separating Java as it runs in web browsers from Java used in server environments. This and other changes will make distribution and administration a lot easier for IT folks. Server Java will also be hardened in ways that are not practical for web-based Java.

So, not much to see here, although it seems clear that Oracle knows that Java security is a serious problem and is at least making an effort to fix it.

Java, Patches and updates, Security

Latest Java still vulnerable

Leave a comment

According to Adam Gowdiak of Security Explorations, many of the Java vulnerabilities he reported to Oracle in recent months were fixed in the April update (Java 7, Update 21).

However, several of the reported vulnerabilities remain, and Oracle has confirmed that they are working on fixes for those issues.

On April 22, Mr. Gowdiak reported another new Java vulnerability to Oracle:

The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).

Current Java status: vulnerable.

Details are on the Security Explorations web site (scroll to the end).

Update 2013Apr27: Ars Technica reports that exploits for the just-patched Java vulnerabilities are showing up in attack kits and being seen in the wild. If you use Java, patch it ASAP!

Java, Patches and updates, Security, Windows

Java 7 Update 21 fixes 42 security issues

Leave a comment

As expected, Oracle yesterday released a new update for the series 7 Java Runtime Environment (JRE). Java 7 Update 21 includes fixes for a whopping forty-two security vulnerabilities.

Adam Gowdiak of Security Explorations reports that several of the issues previously reported by him have apparently been fixed in Java 7u21. He points out that one issue in particular took six weeks to fix, and that this delay was unwarranted.

Update 21 also includes some general security improvements. Java will now pop up security warnings whenever unsigned Java code starts to run. Requiring Java code to be signed is going to annoy some users, but given the number of Java security issues in recent months, this is definitely a good idea. The Internet Storm Center has additional details.

Given that most of the fixed vulnerabilities can allow remote attackers to gain control of unprotected computers, we recommend installing the update as soon as possible on any computer running Java, especially those with Java enabled in web browsers.

Unfortunately, as with most Java updates, the announcement from Oracle leaves much to be desired. The date of the announcement is buried toward the bottom of the document. The version of the update is never mentioned. Instructions to users are needlessly complex.

Java, Patches and updates, Security

Big Java security update expected today

Leave a comment

Yesterday, Oracle announced that it will soon issue a significant update for Java. The update will include fixes for forty-two known security vulnerabilities, including thirty-nine that may be remotely exploitable without authentication. Apparently the update will also introduce some new general security improvements.

Ars Technica has additional details.

The update is scheduled for release later today (April 16, 2013).

Java, Security

Java Zero-day exploit status

Leave a comment

Like the “__ days since the last accident” signs that are common in workplaces, the Java Zero-day Countdown web site provides a quick check on Java’s current security issues.

Recall that a zero-day exploit/attack/threat is “an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on ‘day zero’ of awareness of the vulnerability.” [from Wikipedia]

Java has been hit by a stream of such attacks in recent months, and despite new security-tightening features added by Oracle (Java’s developer), there’s no end in sight. Java’s ubiquity makes it a prime target for the perpetrators of malicious hacks.

Maybe some day Oracle will tighten Java’s security to the point where sites like the Java Zero-day Countdown aren’t necessary. Until that happens, it’s a good way to get a quick overview on current threats to Java.

Java, Security

More holes in Java’s latest security enhancements

Leave a comment

As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.

Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.

So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.

Is Oracle losing ground in this battle? Sure feels like it.

Java, Patches and updates, Security

Java 7 update 17 released

Leave a comment

And just like that, another new version of Java. Version 7 update 17 (what happened to update 16?) includes fixes for some serious security vulnerabilities, as outlined in the associated security alert.

You’ll forgive me for not trusting Oracle’s word on whether any particular vulnerability has truly been fixed. I’ll defer to Adam Gowdiak and other security researchers for the final judgment. Certainly 7u17 is the latest version of Java, and it presumably fixes some of the holes in 7u15, so anyone using Java – especially in their browser – should install it ASAP. But I’m going to leave Java 7u17 flagged as possibly vulnerable.