Does Oracle not know their own code?
I’m talking about Java. You know, the write-once-run-anywhere platform that seems to be severely broken from a security viewpoint, rendering it more than useless when used inside a browser.
Oracle, the company that’s owned Java since purchasing Sun Microsystems in 2010, seems to be clueless. Back in October the company pushed out a patch to fix some security holes that were already being exploited. There were complaints at the time that they were being secretive, saying little to nothing publicly about the problem, acting as if they were sweeping dust under a rug. Indeed, two months earlier, in August, the founder and CEO of the Polish security firm Security Explorations, Adam Gowdiak, told PCWorld that Oracle had known about the security problem for months:
“Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day — unpatched — vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.
“The company continued to report Java 7 vulnerabilities to Oracle in the following months until the total number reached 29. ‘We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,’ Gowdiak said.”
In other words, Oracle was acting like Microsoft used to act. Ignore a security problem and maybe it’ll go away. And if it does get discovered and exploited, blame it on the white hats who tried to warn us.
Earlier this month more security holes were found, again already being exploited, prompting Homeland Security to take the unprecedented move of suggesting Java be disabled in all browsers. We learned, again from Gowdiak, that Oracle’s fix from five months earlier had been incomplete and that had left the door open for this latest exploit.
On the Bugtraq mailing list, Gowdiak wrote:
“The company had released a fix for Issue 32 in Oct 2012. However, it turns out that the fix was not complete as one can still abuse invokeWithArguments method to setup calls to invokeExact method with a trusted system class as a target method caller.”
He went on to lambaste Oracle’s approach to security:
“This is not the first time Oracle fails to ‘sync’ security of Core and new Reflection APIs. Just to mention the Reflection API filter.
“This is also not the first time Oracle’s own investigation / analysis of security issues turns out to be not sufficiently comprehensive. Just to mention Issue 50, which was discovered in the code addressed by the company not so long ago…
“Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted. It looks [as if] Oracle either stopped the picking too early or they are still deep in the woods…”
I suspect they’re lost in the woods.
In any event, they’ve done it again. The patch they pushed last week turned out to be incomplete and browser side Java is still being exploited in the wild. Now we’re hearing it might take as long as two years to sort through and fix all of Java’s security issues.
That’s pretty mind boggling, no?
As far as I’m concerned, a two year wait for adequate security fixes to Java means one of two things: either Oracle is incompetent when it comes to security issues or they really don’t care about Java. If it’s the later, I would suggest they get off their duffs and fix it anyway–and quickly. Their future may depend on it.
Oracle can’t afford for their enterprise customers, those who’s businesses are built using their products, to lose faith in Oracle’s ability to keep mission critical data safe and secure. Even though their installed base would certainly shudder at the thought of migrating to another platform, they’ll do so in a heartbeat if they think Oracle is becoming senile and undependable. Stumbling in the dark with Java security issues just might be seen as Ellison’s coal mine canary.
It’s pretty evident that Java has not been the cash cow that Oracle had hoped it would be. Certainly, their SCO style patent infringement suit against Google didn’t produce the easy billions they’d envisioned. If Oracle doesn’t want to spend the effort and cash necessary to keep Java developed and properly patched, there’s no crime in that if they just get rid of it. As it’s doubtful they’d ever find a big bucks buyer, I’d suggest just handing it over to the Apache folks as they did with OpenOffice. In that case, further development will probably stop, but maybe IBM or someone will step up to the plate and keep it patched in their spare time.
Maybe Larry Ellison has learned a lesson from the fiasco that his purchase of Sun has turned out to be. In the future, Oracle should avoid open source projects like the plague. If some open source projects are part of a deal, like they were with Sun, Oracle should shed them immediately. Oracle Linux notwithstanding, Oracle doesn’t have what it takes to be the caretaker for open source projects–it’s not in their DNA.
It was obvious before the deal was made that unlike Sun, Oracle wouldn’t be a nurturing parent to projects like Java, OpenOffice and MySQL. Say what you will about Scott McNealy and Jonathan Schwartz, the CEOs at the old Sun, as much as they sometimes didn’t grok FOSS, at least they tried.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
Sometimes it’s not in the best interests of big corporations to buy up developing applications. ESPECIALLY if they have no intention of maintainig it, or of sweeping it under the rug. I think Oracle only bought Java to try to increase their worth, not realizing there would be an underlying need to maintain and develop it to its fullest potential. But I guess now its too late. There’s not a lot of people who are going to dedicate a lot of time to patching up something that might never work properly because of all the exploits that are currently out there. I think this should be a leeson for most corporatiosn who are looking to just fatten their pockets by buying up all the small app devs out there: Leave well enough alone! (And please bear in mind this is just MY opinion! and it has no bearing on the market share….or the corporate mission for any one!…LoL!)
Bugs notwithstanding, it is important to keep in mind that this entire discussion is relevant ONLY to the use of Java as a language for safely downloading applications (or applets) on the web. For that, the world is slowly learning, Java is not so much better than Microsoft’s ActiveX which runs native code even though it was designed to allow sandboxing. This is also the reason why many people today are skeptic about Google’s NaCL project which offers similar premises.
Java is a general purpose programming language with the best portability profile of the lot (given its feature set) and as such, the vast majority of Java users are using it instead of using C, C++, COBOL, etc. on many platforms and for them those security issues of Java on the web is not really important.
For Oracle, IBM and many other big companies (Google included), Java does a great service of a portable general purpose language and this is not going away anytime soon.
I do agree with your point that Oracle needs to get its act together in being more responsive, more responsible and more transparent in handling security issues. Microsoft has done tremendous job on that front (even if they are still fighting their hairy legacy). I also agree with you that open source is not in their DNA (Larry’s – it just gives him the creeps).
@Dror Harari If this was Facebook I would “like” your comment. Spot on, and you make some great points. Indeed, Java is here to stay, and you’re correct to call me to task for my insinuation that they give it to Apache and let it die on the vine. I do think that Java would be better off in the care of another company. As we both agree, Ellison doesn’t do open source well.
The author should realize that this is the way Oracle handles its business and chill out. When Sun Microsystems owned the Solaris OS, the provided Security patches for free. After buying Sun Mirco. and Solaris, Oracle stopped providing free Security patches. Now, you must have a support contract for each and every server you wish/need to apply Security patches.
The author does not live in the same reality as Oracle. Once he adjusts to this “reality”, he will be able to start living a normal life.
You mean Sun’s code? đŸ˜‰
Oracle is a has been. Has been for a while. Yea, they are powerful…nothing new. What’s good for GM is good for… Another has been. They had their day and now they are done. Oracle does not define reality anymore than FOSS does. Users define that. And Larry is not worried about FOSS, he is worried that the dear users don’t bolt. He will be singing another tune when Java’s crap hits the proverbial fan.
Guess Java’s going to go out soon.. Its time to open the doors to Lazarus and Python!
@Bravo.I – I agree with you on bringing Python to the forefront, might be time for the entire web-serving wprld to check into alternatives to Java? I’m just sayin’ while Java might not “go away” completely, they just might be better off being handed to the Open SOurce community, I’m sure there’s folks out there who would not mind dedicating a large portion of their lives to working on fixing the many problems with Java.