When it comes to Java, Oracle has been having just about the worst year ever. If there is any kind of silver lining to the company's troubles, perhaps it is the hope that Oracle is finally learning that security updates must go out as soon as they're needed, and not only at the firm's convenience.
Before I bring you up to date as to February, let me review last month. As covered by John Leyden over at The Register, back in mid-January Oracle released a version of Java 7 that plugged a nasty vulnerability which had already been spotted and used in the wild. Users had to get the update “because the exploit for the bug had been 'weaponized' and bundled in widely available black-market hacking toolkits in the week prior” to Oracle's release, Leyden noted. Even the US Department of Homeland Security, along with antivirus firms F-Secure, Sophos, and others, warned browser users to turn off Java plug-ins, as they remained a target for hackers.
Oracle, for its part, has been emphasizing that these exploits are limited to Java on the browser. Java on the server, desktop, and embedded Java are not affected by these security issues. In fact, to help emphasize the issue, Oracle uploaded a recording of an hour-long conference call between the Java User Group and a pair of Smiths from Oracle: Milton Smith, head of security for Java at the company, and Doland Smith, who is from the Open Java Development Kit Group.
While Leyden describes that call as “pretty stodgy fare that's thus far failed to turn around the generally negative view held by many in the infosec community toward the software giant,” others disagree. Indeed, Andrew Storms director of security operations for nCircle, calls it a step forward. After all, it's really the first time Oracle has admitted to serious security problems with the Java plug-in. Even so, Storms characterizes the admission as a year too late, and states that the company now has a steep credibility hill to climb.
Oracle hardly had time to catch its breath from dealing with January's issues before it was once again forced to release a critical patch update ahead of schedule. “The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation 'in the wild' of one of the vulerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update,” the company explained. The update corrects a whopping 50 security vulnerabilities, 44 of which only affect Java in browsers. Three fixes, however, apply to client AND server deployment of Java. And two only apply to server deployment of the Java Secure Socket Extension (JSSE). So much for Oracle's insistence that Java's security issues all center around the browser!
Oracle has been criticized for not keeping Java properly updated almost ever since it acquired Java as part of the package when it purchased Sun Microsystems back in 2009. While the company seems to be getting more proactive about its updates, it may not yet be enough. esecurity Planet reports that the company's next three regularly planned updates for Java will be June 18, October 15, and January 14 of 2014. That's not even once a quarter!