Last week saw the discovery of YAJE: Yet Another Java Exploit. Sadly, Java vulnerabilities are neither new nor uncommon and the bad guys are quick to exploit them in the wild. Some claim that Oracle is in too much of a rush to extricate itself from this unholy mess and while being quick to patch whatever vulnerability is currently making the media headlines is still leaving far too many insecurities in the software unfixed. But does that mean it's time to give up on Java?
AlienVault's Head of Labs, Jaime Blasco, reproduced the latest exploit in a previously fully patched Java installation and found that the exploit was probably "bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681". In fact, according to Blasco, the exploit is the "same as the zero day vulnerabilities we have been seeing in the past year in IE, Java and Flash".
Most vendors, AlienVault included, were advising that prior to the Oracle patch the only sensible option to protect against the threat was to disable Java. Simple as. But is it really that simple, and should we be writing off software such as Java (or indeed Flash and Internet Explorer) as being 'too vulnerable' and 'too insecure' and therefore not fit for purpose?
Let's look at the facts for a moment: Oracle released a patch for this latest vulnerability within a few days of exploits being seen in the wild. That emergency update , in effect, makes the default Java browser security settings require user consent when it comes to the execution of non-signed (or self-signed) Java applets. This move, in and of itself, mitigates somewhat against falling victim to the next Java exploit which will inevitably appear before too long. Just as inevitably though, the criminal element will also find new ways to exploit the software, to weaponize the vulnerabilities, and get to your data.
Some security experts, such as the chief security officer at Rapid7, HD Moore, thinks it might take a good couple of years for Oracle to fix all the security issues though, and reckons the safe option is just to assume that Java is vulnerable and always will be, and remove it from the desktop.
Bit9 engineer Chris Lord, however, disagrees fundamentally. Lord takes the view that news of these vulnerabilities should be inconsequential if you are running on a trust-based security platform where you only allow software that you trust to run within your environment. "Software is and will continue to be vulnerable" Lord says, adding "You don’t need to disable Java; you need to prevent the malware that exploits this (and the inevitable next) vulnerability from running".
One of the editors of the SANS NewsBites security industry newsletter got to the heart of the matter when he stated that " If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data".
So what do you think? Are you sticking with Java or looking for alternatives? What's your answer to the spate of security threats that are hounding Java of late?