Does Oracle not know their own code?
I’m talking about Java. You know, the write-once-run-anywhere platform that seems to be severely broken from a security viewpoint, rendering it more than useless when used inside a browser.
Oracle, the company that’s owned Java since purchasing Sun Microsystems in 2010, seems to be clueless. Back in October the company pushed out a patch to fix some security holes that were already being exploited. There were complaints at the time that they were being secretive, saying little to nothing publicly about the problem, acting as if they were sweeping dust under a rug. Indeed, two months earlier, in August, the founder and CEO of the Polish security firm Security Explorations, Adam Gowdiak, told PCWorld that Oracle had known about the security problem for months:
“Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day — unpatched — vulnerabilities that attackers are exploiting to infect computers with malware, Gowdiak said Wednesday via email.
“The company continued to report Java 7 vulnerabilities to Oracle in the following months until the total number reached 29. ‘We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,’ Gowdiak said.”
In other words, Oracle was acting like Microsoft used to act. Ignore a security problem and maybe it’ll go away. And if it does get discovered and exploited, blame it on the white hats who tried to warn us.
Earlier this month more security holes were found, again already being exploited, prompting Homeland Security to take the unprecedented move of suggesting Java be disabled in all browsers. We learned, again from Gowdiak, that Oracle’s fix from five months earlier had been incomplete and that had left the door open for this latest exploit.
On the Bugtraq mailing list, Gowdiak wrote:
“The company had released a fix for Issue 32 in Oct 2012. However, it turns out that the fix was not complete as one can still abuse invokeWithArguments method to setup calls to invokeExact method with a trusted system class as a target method caller.”
He went on to lambaste Oracle’s approach to security:
“This is not the first time Oracle fails to ‘sync’ security of Core and new Reflection APIs. Just to mention the Reflection API filter.
“This is also not the first time Oracle’s own investigation / analysis of security issues turns out to be not sufficiently comprehensive. Just to mention Issue 50, which was discovered in the code addressed by the company not so long ago…
“Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted. It looks [as if] Oracle either stopped the picking too early or they are still deep in the woods…”
I suspect they’re lost in the woods.
In any event, they’ve done it again. The patch they pushed last week turned out to be incomplete and browser side Java is still being exploited in the wild. Now we’re hearing it might take as long as two years to sort through and fix all of Java’s security issues.
That’s pretty mind boggling, no?
As far as I’m concerned, a two year wait for adequate security fixes to Java means one of two things: either Oracle is incompetent when it comes to security issues or they really don’t care about Java. If it’s the later, I would suggest they get off their duffs and fix it anyway–and quickly. Their future may depend on it.
Oracle can’t afford for their enterprise customers, those who’s businesses are built using their products, to lose faith in Oracle’s ability to keep mission critical data safe and secure. Even though their installed base would certainly shudder at the thought of migrating to another platform, they’ll do so in a heartbeat if they think Oracle is becoming senile and undependable. Stumbling in the dark with Java security issues just might be seen as Ellison’s coal mine canary.
It’s pretty evident that Java has not been the cash cow that Oracle had hoped it would be. Certainly, their SCO style patent infringement suit against Google didn’t produce the easy billions they’d envisioned. If Oracle doesn’t want to spend the effort and cash necessary to keep Java developed and properly patched, there’s no crime in that if they just get rid of it. As it’s doubtful they’d ever find a big bucks buyer, I’d suggest just handing it over to the Apache folks as they did with OpenOffice. In that case, further development will probably stop, but maybe IBM or someone will step up to the plate and keep it patched in their spare time.
Maybe Larry Ellison has learned a lesson from the fiasco that his purchase of Sun has turned out to be. In the future, Oracle should avoid open source projects like the plague. If some open source projects are part of a deal, like they were with Sun, Oracle should shed them immediately. Oracle Linux notwithstanding, Oracle doesn’t have what it takes to be the caretaker for open source projects–it’s not in their DNA.
It was obvious before the deal was made that unlike Sun, Oracle wouldn’t be a nurturing parent to projects like Java, OpenOffice and MySQL. Say what you will about Scott McNealy and Jonathan Schwartz, the CEOs at the old Sun, as much as they sometimes didn’t grok FOSS, at least they tried.