I'm an author and a developer focused on build tools. I'm currently focusing on Gradle, but I have an interest in all build tools and most development infrastructure. I focus on Enterprise Java, Ruby, and the interface between Systems Administration and Software Development. The focus of my work is to make it easier for individuals to adopt open source software. Tim is a DZone MVB and is not an employee of DZone and has posted 41 posts at DZone. You can read more from them at their website. View Full User Profile

That’s Billion with a B: Is Java Having an "Outlook" Moment?

  • submit to reddit

I’m a broken record, I know, but every month that goes by we get more and more news that suggests that Java developers (and the companies that support Java) are slow to wake up to these threats.

You remember Outlook, maybe some of you are unlucky enough to still use Outlook, but for Microsoft, Outlook was a multi-year security embarrasment. From 1999 to around 2005 it felt like Outlook was having a security vulnerability every other minute. Back then, there were so many that, in technical circles, Outlook became something of a joke to anyone who valued security. In fact, you could make a compelling argument that Outlook’s multi-year security challenges were the weak point in the armor that provided an opening to Google’s GMail (and once you’ve decoupled from Outlook, why not try that Macbook Pro you’ve been eyeing).

If this trend in Java doesn’t stop – if we don’t stop experiencing billion-user, level 10 CVSS security exploits every other week in Java – all the inertia in the world won’t stop a shift to another language or another platform. Check out this news that just crossed the wire yesterday from Softpedia:

One billion users affected by Java security sandbox bypass vulnerability, experts say. Researchers from Security Explorations claimed to identify a flaw that affects all Oracle Java SE versions and the billions of devices on which the software is currently installed. This bug, codenamed issue 50, was identified just before the start of Oracle’s JavaOne 2012 conference. ―The impact of this issue is critical — we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7,‖ the CEO of Security Explorations said. He said the vulnerability can be leveraged by an attacker to ―violate a fundamental security constraint‖ of Java Virtual Machines. The researchers confirmed Java SE 5 — Update 22, Java SE 6 — Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack. The affected Web browsers are Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89, Firefox 15.0.1, and Internet Explorer 9.0.8112.16421. The company provided Oracle with a complete technical description of the flaw, along with source and binary codes, and a proof-of-concept that demonstrates the complete security sandbox bypass in Java SE 5, 6, and 7.”

Don’t get me wrong, Java’s going nowhere. The JVM and language are here to stay, but when I read things like “a proof-of-concept that demonstrates the complete security sandbox bypass in Java SE 5, 6, and 7″ in the following security bulletin I have to ask myself what sort of foundation we’re building our systems on? Well it isn’t a sandbox if it can be circumvented, is it?

This reminds me of a piece that Vint Cerf wrote for next month’s Communications of the ACM, in it he writes about the lack of a scientific discipline when it comes to software in “Where’s the Science in Computer Science?”. Here’s a good sample:

“When we write a piece of software, do we have the ability to predict how many mistakes we have made (that is, bugs)? Do we know how long it will take to find and fix them? Do we know how many new bugs our fixes will create? Can we say anything concrete about vulnerability? What about the probability of exploitation? Murphy’s Law suggests that if there is a bug that can be exploited for nefarious purposes, it will be.” He continues later in the piece: “…As a group of professionals devoted to the evolution, understanding, and application of software and hardware to the myriad problems, opportunities, and activities of modern society, we have a responsibility to pursue the science in computer science. We must develop better tools and much deeper understanding of the systems we invent and a far greater ability to make predictions about the behavior of these complex, connected, and interacting systems.”

My impolite translation of Cerf’s wisdom? “You are all a bunch of hacks. You couldn’t model software if your life depended on it. Maybe it’s time to start getting serious.” I’d also like to put forward that it might be time for the people responsible for the JVM to hire someone who can take the time to do it right.

If you want to start “Doing it Right” and paying attention to security start with your dependencies. If you don’t use Sonatype Insight, it’s very likely that you are downloading software components with known vulnerabilities every day. Don’t get owned by some vulnerability that’s been in the wild for months, start using Insight today.

Published at DZone with permission of Tim O'brien, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Alan Roche replied on Fri, 2012/09/28 - 4:24am

Just to clarify,  - there is a vulnerability in the Java Applet platform, - which is a sideshow at best in both the overall Java and Browser realms.


Denis Robert replied on Fri, 2012/09/28 - 6:11am

@Alan Roche is 100% correct. In addition, I find Infomercials like this one utterly insulting. "If you don’t use Sonatype Insight, it’s very likely that you are downloading software components with known vulnerabilities every day. Don’t get owned by some vulnerability that’s been in the wild for months, start using Insight today." REALLY??? Shouldn't that be in an ad, as opposed to an information article on Java security vulnerabilities? Product placement is one thing, but this is pure hackery.


Andy Till replied on Fri, 2012/09/28 - 11:17am

This is some really disingenuous from a security weakness in applets only.  However, the security risk is pretty serious and it is giving java a bad name.  I don't think the JRE should ship with browser plugins anymore, but provide a separate download.  The security risk far outweighs the ability to run the few applets out there.

Danno Ferrin replied on Fri, 2012/09/28 - 11:39pm

There is an appropriate place for an article like this: your company's blog.  It's sad that DZone is just turning into another PR channel.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.