Back on January 24th, Oracle was sitting on their hands after issuing incomplete patches to not handle security issues in Java, issues bad enough to evoke dire warnings from the U.S. Department of Homeland Security. I opined on that day that Ellison’s hired help needed to get off their duffs and come up with a good fix quick, even if Java has turned-out to be a puppy Larry Ellison no longer wants to keep. Evidently, somebody in Deadwood City felt the same way, as Oracle pushed a patch this past Friday addressing 50 security holes in the beleaguered programming language.
Wait a minutes, did I just write that the patch addressed 50 security holes? I’ve got a five pound block of Swiss cheese in the fridge that has fewer holes than that. I think if I was Larry Ellison I would be ashamed to admit I’d allowed that many security vulnerabilities to accrue unfixed while any project was under my care. I think I’d fix ten a day or something in five separate patches and try to make it look like I had my security eagles working overtime finding new holes ahead of the bad guys.
On the Oracle website, announcing the patch, the company did try to give the impression that Marshall Ellison and his posse were riding in to save the day for everybody:
“The original Critical Patch Update for Java SE – February 2013 was scheduled to be released on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.”
In Marshall Dilbert talk, they were warning that Billy the Kid is already at the saloon where he’s already killed five in five separate gunfights. Apply this patch and stay indoors, away from any Windows–especially 7 or 8.
Indeed, we’re now learning that the hack at Twitter that compromised about a quarter million accounts might have done so using a Java exploit. The UK technology site V3 quotes Sean Sullivan with anti-virus, cloud content and computer security company F-Secure:
“‘My hunch is that Twitter employees were targeted. Twitter developers use Macs and code in Java (on the back end). Those developers probably have a funny notion that there are no viruses for Macs and so had JRE enabled in their browsers–probably browsing the Web with their development computers/images.
‘I suspect that a targeted attack using a Java exploit and a Mac binary payload nailed a Twitter employee. Twitter, having a good security team was able to detect the unusual outside connection and mitigated the attack.'”
It doesn’t seem like it was a long time ago that we were being assured that Java is hacker-proof because of the sandbox approach it takes. I suppose the moral of this story is one I imagine that everybody who frequents this site already knows all too well: just as there’s no such thing as a lock that can’t be picked, there’s no such thing as hacker proof when it comes to computers.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
“It doesn’t seem like it was a long time ago that we were being assured that Java is hacker-proof because of the sandbox approach it takes.”
As far as I can remember, java has had new security holes with each new iteration of the language. And probably undiscovered ones before each new point release. I’m not saying that every application or computer language written is inherently secure. What I am saying is that java has always had more than its fair share.
Java? exposure always means more ‘eyes’ on the code, exposing flaws. Proof positive that coding has its hazards. In this case java has gone through several companies, and still no one has figured out how to make it right. Money first, good product is second..