While Flash and Adobe Reader have been popular client-side targets, one could argue that attackers' favorite application-layer target has been Java and specifically the Java Runtime Environment (JRE). Oracle, starting with Sun, has advanced the development of the Java ecosystem in several areas, including the programming language, server-side environment and the widespread client-side JRE, but attackers continue to expose serious security vulnerabilities in the JRE. Most of these vulnerabilities are limited to the more common platforms, such as MacOS and Windows, but since Java is used in a wide variety of platforms for the client software, the impact of vulnerabilities may not be well understood.Oracle has added to Java's technical debt, which will result in an ever greater number of vulnerabilities.
In this tip, we'll discuss the latest spate of Java security vulnerabilities and offer some measures to better secure Java in the enterprise environment.
One step forward, one step backAs of late, it seems that just as Oracle releases a patch for the most recently exposed Java vulnerability, attackers find a new one to exploit. Another serious vulnerability was identified September 2012; it allows an attacker to exploit a core security feature of the Java JRE, Type Safety, to escape the Java sandbox. An attacker can completely compromise the security of a system by exploiting this vulnerability.
Worse yet, Java security patches may be giving attackers more exploit opportunities: It is believed that the JRE vulnerability that was reported August 2012 may have been introduced by a previous patch. The bug in the AWT subcomponent of Java could also allow for code execution on the local system, which would bypass the sandbox and result in a system being compromised. When Oracle's software update process exposes new security vulnerabilities, the strength of Java's software development lifecycle comes into question. Not all bugs can be prevented, but it seems clear a stronger security development lifecycle is needed to help prevent the introduction of new Java bugs.
Larry Ellison once touted that Oracle's products are "unbreakable", but this attitude toward security has not extended to the JRE. Oracle's approach to security is generally considered to be less mature than those of rival software makers Microsoftand Adobe, which affects how companies use the JRE. As Microsoft and Adobe started to change their respective security cultures, improvements were realized in the security of their applications despite similarly significant technical debt for legacy products and applications. Oracle does have a long history of selling software to customers with strict security requirements, such as the CIA, but there seems to be an increasingly striking disconnect within Oracle that has yet to foster a strong security development for Java and the JRE. To prevent the JRE from posing too great a threat to enterprises, this must change.
Methods to secure JavaMany believe that the state of Java security is so dire that it must be disabled on all enterprise client-side applications. Though there are viable alternatives for software such as Adobe Reader, no real alternatives currently exist for the Java Runtime Environment. The reality is that many enterprise applications rely on Java; for many organizations, disabling Java simply isn't an option.
From the editors: Time to disable Java?
Enterprises could also compile Java code into native executables to avoid issues with the JRE, but this action would negate the "write once, run anywhere" benefit of using Java. Given that most Java applets are run on either PCs or Macs, this might be a reasonable measure for some organizations, but it wouldn't work for all platforms that run Java. If it could be compiled, this would help reduce the number of systems in an enterprise that needs a JRE installed just for one application. All of these methods require significant effort, but could reduce the risk to an acceptable level for most enterprises.
Conclusion The Java ecosystem pioneered many new features that made developing software for multiple platforms easier. The Java Runtime Environment was the result of that need for easier cross-platform development. Sadly, the reputation of the Java ecosystem has taken a significant hit due to the significant number of security vulnerabilities exposed in the JRE and Oracle's software development lifecycle. While organizations should think long and hard about committing to Java, fortunately, there are ways for enterprises to limit the risk posed to their endpoints by the JRE if it is a business necessity; if it is not absolutely necessary, however, it should not be installed.