March 15, 2013

Solutions for Java Security Issues May be Coming, Say Experts

Java has been a jumping-off point for a variety of hacking attacks staged on some of the biggest names in the field–Apple and Microsoft (News Alert) just for a start–as well as the garden-variety user for the better part of 2013 so far. While Oracle has been hard at work to respond faster and with better protections for its users, security experts are coming out to suggest that the attacks may not stop for some time, and that the fullest array of protections may be a long time coming.

Researchers used one of the most recent attacks, the MiniDuke campaign, to illustrate the point. MiniDuke used exploits for Java, Internet Explorer 8, and Adobe (NewsAlert) Reader to wreak its havoc, with fully 59 computers across 23 countries taking the impact of this new malware. The particular problem with this is that MiniDuke found a vulnerability that hadn’t yet been patched by Oracle (News Alert) when the attacks went off, according to a blog post from Kaspersky Lab.

MiniDuke, however, proves to be only one of the latest such attempts going back to the start of 2013. Oracle has been rapidly issuing security updates–two so far this year at last report–and went so far as to raise the default setting of Java applet security controls to high.

While security experts have come out in favor of such a strategy, there are those out there that believe this is only just a start, and that further improvement should be made. On security experts’ lists are improving the adoption rates of updates, and offering better security controls for Java in corporate settings. While only so much of that can really be Oracle’s responsibility, security experts also have advice for Oracle in the form of a thorough review of the Java code so as to find the various issues that hackers might be using to stage attacks. Security experts are also taking Oracle to task for not heeding warnings released earlier; one such expert, Carsten Eiram with Risk Based Security, said in an e-mail "I’m not sure Oracle really took the predictions of Java being the next major target seriously."

However, even Eiram says that it was unlikely that Oracle could have prevented the recent attacks. Eiram did assert that Oracle would be in a better position to fight back against hackers had it acted sooner and done more, but that really would have only gone so far.

It’s an important fact to remember about programming in general: what one programmer does, another can undo. This particular adage extends to a lot of situations; what one programmer secures, another can break into being just one. A bit of software completely impervious to break-ins and malicious behavior is a pipe dream. Any system designed by human beings has, on some level, flaws. Mistakes are made. Accidents happen.

But the security experts do have a point about the need for vigilance. No, no system will ever be perfect, but the protection of the overall system must be of primary importance. Java is illustrating that point nicely; while Oracle never could have prevented all hacking attempts, vigilance was, and still is, vitally important to ensure the system is as good as it can be, and making attempts to get better every day.

Edited by Brooke Neuman


HTML 5 Demos and Examples

HTML 5 experimentation and demos I've hacked together. Click on the browser support icon or the technology tag to filter the demos.... Learn More

HTML5 GAMES is the largest and most comprehensive directory of HTML5 games on the internet... Learn More

The HTML5 test

How well does your browser support HTML5?... Learn More

Working Draft (WHATWG)

This is the Editor’s Draft from WHATWG. You can use it online or print the available PDF version... Learn More

HTML5 Flip Book

Free jQuery and HTML5 flip book maker for PDF to online page turning book conversion... Learn More