Java Security Alert
New Year – New vulnerabilities…yes it’s alert season again, with the main patch out on the 15th, but an out of band alert today for the Java 0 day. It is good to see Oracle taking this well publicised issue so seriously.
Here is the alert – http://www.oracle.com/technetwork/topics/security/alerts-086861.html
For an excellent advanced analysis please see this verified pdf https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf
For a more layman’s overview of Java Security this pdf is useful http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201301_en.pdf
I taught the first publicly available Java Security Course outside of the US in 2007 at SANS London, and wrote the first Java Security exam (GSSP), and wrote and presented the first “Java Top 10 Security issues” in Orlando 2008 – which is still very relevant – and back then the story was the same as it is today… — Java applets are insecure – don’t use them – and strongly consider turning off Java in browsers.
Server-side Java is still a dominant language and probably will be for a while, though Java in the Database itself has had both security and performance issues…as well as questions as to why use Java in the DB – is it to bring more processing to the DB to increase licensing for Oracle, say the cynics, OR to enable less network transactions between app and db pulling data backwards and forwards? Obviously it is nice to have a choice, but PL is a more efficient way to interact with the DB locally.
A larger question in many folks minds will be why use Java at all? It was made popular because Sun had made it cross-platform, but does Oracle have the same cross-platform credibility as Sun? A JVM is slower than native so if x-platform is less of a factor perhaps C will make a comeback. This logic is borne out by http://developers.slashdot.org/story/13/01/07/181219/c-beats-java-as-number-one-language-according-to-tiobe-index. Personally, I do a lot of text file log manipulation so I still use Perl as it is quicker (and have been recommended to try LUA – on the todos), and am intrigued by DBIx http://www.dbix-class.org/.
Agreed, for database connectivity JDBC is still king, so I am still glad I learnt Java at uni many moons ago, but the crux to this is that Java’s expansion market has been Android and the fear is that Oracle’s lawyers scare companies from innovating with the technology in a cross-platform like way. I hope the concept of “Java Stewardship” extends to the legal department.
Anyway, lets hope that the new Oracle patch is reliable.