Oracle Adds Java to Quarterly Updates, Defends Security Improvements
Oracle's most recent Critical Patch Update (CPU), which the company issues quarterly, included 127 patches for multiple security vulnerabilities discovered in its product families. This quarter's CPU covered everything from the Oracle Database and Fusion Middleware to its E-Business Suite and MySQL. And for the first time, 51 of those fixes were for Java. Security patches for Java had been issued on a four-month cycles, but starting this month, a Java SE CPU will be released on the main Oracle CPU quarterly schedule, the company said.
Fifty of the Java vulnerabilities listed in this CPU are related to Java in the browser -- Java applets and the Java WebStart browser plugin. But 12 of them earned the highest severity score on the National Vulnerability Database's Common Vulnerability Scoring System Version 2 Calculator (CVSSv2), which means that they can allow an attacker to take full control of a machine over a network without requiring authentication.
Folding Java into the security patch cadence of the rest of Oracle's products might make sense to the company, but Chester Wisniewski, senior security advisor at Sophos Canada, says he thinks a quarterly CPU -- for Oracle products and Java -- leaves vulnerabilities unpatched for too long. "If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly," he wrote in his Naked Security blog. "Microsoft and Adobe both patch monthly and together have less than 50 vulnerabilities fixed per quarter on average. Oracle, it's time to step up your game."
To be fair, when it comes to Java security at least, Oracle has been stepping up its game. At the recent JavaOne conference, Cameron Purdy, vice president of Oracle's Cloud Application Foundation, pointed out to a group of reporters that when Oracle acquired Sun Microsystems a few years ago, the company had had a "very, very tiny team working on security." Oracle has since built a much larger security team focused on Java. "It's an incredible difference between where we were at the time of the acquisition in terms of the amount of machinery and teamwork focused on these issues today," Purdy said.
He also pointed out that there's a general misconception that the Java security vulnerabilities grabbing headlines these days are new, when in fact, most of them data back well over a decade to JDK 1.4 and earlier. Because they were found and exploited after the acquisition, the perception is that these are new issues, he said.
Nandini Ramani, vice president of development in Oracle's Java Platform group, agreed with Purdy's assessment, and argued that Oracle has been working hard behind the scenes to fix these problems. The company has been laying the foundation of a more secure Java with building blocks, such as the new deployment-rules-set feature, which lets developers tie their particular version of Java to specific applications. And the company has made it easier for end users to remove older versions of Java from their systems with a Web-based update tool.
"We're doing everything possible to both introduce enhancements in terms of security features, as well as fixing all of the existing vulnerabilities across the board," she said. "But ultimately people have to update."
Georges Saab, vice president of Java SE Development at Oracle, said that there has been a "swarming effect" that's pretty common in high tech. Once a vulnerability is uncovered, the bad guys are all over it, and that's part of what has made Java seem so vulnerable.
"We've gone through that phase by and large," he said. "I don't think you see things every day like we saw six months or a year ago. Things are settling down. And we're confident about the path we're on now, and the input we're getting from our enterprise customers. We're giving them the tools to manage their landscape of Java."
Purdy added that Oracle's goal is "no security vulnerabilities in Java -- zero, absolutely none. He said that the vulnerabilities have been largely identified and prioritized, and Oracle is working its way down the list.
But Sorin Mustaca, product manager and IT security expert at German security solutions provider Avira, remains unimpressed by Oracle's progress on Java security. "These executives can find tons of excuses why Java is not secure," he told ADTmag in an e-mail. "The fact that they openly say 'the vulnerabilities have been there for years' is just an excuse to lower the priority of these issues."
He agreed with Saab's observation about the swarming effect, but disagreed that "things are settling down."
"I dare say that this is not the case," Mustaca said. "At least not yet. If this was indeed the case, why are we seeing 51 security fixes for Java? And nobody knows how many others were postponed because they have "been in the code for years."
Jerome Segura, senior security researcher at antimalware solutions provider Malwarebytes, says that Oracle's commitment to "zero vulnerabilities" is good news for Java users, and will likely have a positive impact. And he acknowledges that most Java security vulnerabilities are browser-related. But he was less sanguine about the argument that these are old problems just gaining visibility.
"It's quite possible that several years ago, security in Java was regarded as less crucial than it is now because it wasn't in the spotlight, and therefore some mistakes were made from a coding standpoint," he told ADTmag. "But this is still speculation, and blaming your predecessors for your current woes might be unjustified, especially when you're not giving them the chance to tell their side of things."