Last week saw the discovery of YAJE: Yet Another Java Exploit. Sadly, Java vulnerabilities are neither new nor uncommon and the bad guys are quick to exploit them in the wild. Some claim that Oracle is in too much of a rush to extricate itself from this unholy mess and while being quick to patch whatever vulnerability is currently making the media headlines is still leaving far too many insecurities in the software unfixed. But does that mean it's time to give up on Java?

dweb-java01 AlienVault's Head of Labs, Jaime Blasco, reproduced the latest exploit in a previously fully patched Java installation and found that the exploit was probably "bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681". In fact, according to Blasco, the exploit is the "same as the zero day vulnerabilities we have been seeing in the past year in IE, Java and Flash".

Most vendors, AlienVault included, were advising that prior to the Oracle patch the only sensible option to protect against the threat was to disable Java. Simple as. But is it really that simple, and should we be writing off software such as Java (or indeed Flash and Internet Explorer) as being 'too vulnerable' and 'too insecure' and therefore not fit for purpose?

Let's look at the facts for a moment: Oracle released a patch for this latest vulnerability within a few days of exploits being seen in the wild. That emergency update , in effect, makes the default Java browser security settings require user consent when it comes to the execution of non-signed (or self-signed) Java applets. This move, in and of itself, mitigates somewhat against falling victim to the next Java exploit which will inevitably appear before too long. Just as inevitably though, the criminal element will also find new ways to exploit the software, to weaponize the vulnerabilities, and get to your data.

Some security experts, such as the chief security officer at Rapid7, HD Moore, thinks it might take a good couple of years for Oracle to fix all the security issues though, and reckons the safe option is just to assume that Java is vulnerable and always will be, and remove it from the desktop.

Bit9 engineer Chris Lord, however, disagrees fundamentally. Lord takes the view that news of these vulnerabilities should be inconsequential if you are running on a trust-based security platform where you only allow software that you trust to run within your environment. "Software is and will continue to be vulnerable" Lord says, adding "You don’t need to disable Java; you need to prevent the malware that exploits this (and the inevitable next) vulnerability from running".

One of the editors of the SANS NewsBites security industry newsletter got to the heart of the matter when he stated that " If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to be looking at better ways to defend our systems and data".

So what do you think? Are you sticking with Java or looking for alternatives? What's your answer to the spate of security threats that are hounding Java of late?

Edited 3 Years Ago by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Interesting comments from security outfit Rapid7's CSO and chief architect of Metasploit, HD Moore:

The Java applet security model has not kept up with up with browser-based threats. In an era where sandboxing at the process level has become the norm (Adobe Reader, Flash on Chrome, Chrome itself, Internet Explorer low-privacy mode), Java continues to enforce all security at the interpreter level.

Notwithstanding sandbox escapes, the capabilities available to a Java applet still exceed what comparable plugin technologies allow. Java has a ridiculous amount of functionality and has to contend with backwards compatibility issues to boot. The recent vulnerability involving the JMXBeanServer class is a great example of a Java applet being able to access a class it really has no business using in the first place.

not only is it idiotic to claim people should stop using Java for development because of potential applet security problems (applet code is rarely used, and then mostly in intranet and extranet applications where security is provided through other means) but the claim that an applet "has no business using JMX in the first place" is just as idiotic. There are very valid reasons for an applet to have access to that, not the least of them being applet based application server administration consoles.

I strongly suspect most of these stories are thought up by people who have a vested interest in seeing either Java and/or Oracle lose market share.

Java is the best and would always remain good. Microsoft as it own flaws. Haters should stop condemning java.

what do you mean by that "Microsoft (h?)as it(s?) own flaws" comment?

"Java is the best and would always remain good" ....
that would depend on what exactly it is you are trying to write code for. It's not as if Java doesn't have its limitations.

of course, i think its bcause java is very popular and it has a wide usage, ti is expected that platform that you hav large percentage of usesage will definitely be the next point of attack, just to show that "this thing all of you are rushing to and calaiming to be safe and relaiable are not as you think" so it has always being like that and it will always be, but the beauty of it all is that, as some sat somewhere to device attack, then the experts in-house will always be on their sit to innovate the counter attack, it a win win case cos, all these expert developing pathches for all those attack will always add to their knowledge each day
So all sabotuars should know this : Java is here for stay even longer than it had been

The article starter has earned a lot of community kudos, and such articles offer a bounty for quality replies.