by Andy Patrizio
About the worst endorsement you can get is to have the government say not to use your software. That is exactly what happened to Oracle last week when the Department of Homeland Security issued an alert that said every computer user should disable Java on their PC due to a significant vulnerability.
A massive exploit was found in Java 7 Update 10 that has been connected to a global malware network called Red October, which has infested hundreds of government PCs worldwide and has been there for months.
Oracle issued a fix, called Update 11, but almost immediately security researchers found it had its own vulnerabilities. Thus, DHS said repeated its order to stay away. “Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11,” it said in the alert.
HD Moore, chief security officer with Rapid7, told Reuters it could take up to two years for Oracle to fix all the security bugs that have currently been identified in the version of Java, and he too advised people to uninstall Java from their computer.
These problems aren’t new. Java exploits have been around for a while and are numerous. A Kaspersky report found Java accounts for 56% of all security vulnerabilities stopped in the third quarter of 2012, and Kaspersky’s researchers pulled no punches in their harsh assessment of Oracle’s stewardship of the language.
“Where other companies have improved their security posture to varying degrees, over the years Oracle has stood completely still. No efforts have been made to make the software more secure or at least improve the updating mechanism. Their response to security vulnerabilities has been completely inadequate as well, having been aware of easy-to-fix security vulnerabilities for months without fixing them,” said Roel Schouwenberg, senior researcher at Kaspersky Labs.
Which leads to the inevitable question, is Oracle the right company to continue shepherding the Java language? Oracle is an enterprise software company, an industry that moves slowly and cautiously. It has not had the experience of Microsoft, which has been targeted by hackers for more than 20 years. Being assaulted so much for so long forced Microsoft to be faster-moving, something Oracle does not really know. Oracle did not respond to requests for comment.
Elizabeth Hedstrom Henlin, enterprise software analyst with Technology Business Research, says no. “It will be addressed, not in a Java-centric approach but a broader reinvention to optimize everything they have to work well, not just on its own but together and all the time,” she said.
Oracle’s business has grown to such an extent that it has lot more on its plate now than it did even when they acquired Sun in early 2010, which is when it also acquired Java. Because of this, Oracle is now looking at end-to-end integration of its products, of which Java is a part.
Plus, its cloud offering will force more the company to be more security-conscious, Henlin argues. “You can’t be slow with a cloud hack. So you will see changes within the core Java world as Oracle continues to expand its public cloud. They are offering Java as a service, so that will spill back over into on-premises deployments as well,” she said.
On the other hand, Rob Enderle, principal analyst with the Enderle Group, thinks it’s time for Oracle to sell it off to Google and wash its hands of a product that brings in no money. “[CEO] Larry [Ellison] is bottom line-oriented, and I see this as an additional expense Oracle picked up and becoming a bigger expense,” he said.
“When Homeland Security sends a warning out on a product you are selling, that’s not good advertising for any vendor, I don?t care who you are,” he added.
Microsoft, Google and Apple all actively search for exploits of their operating systems. The Java exploit that led to Red October was found by one person, by accident. It had been exploited for months. Enderle doesn’t believe Oracle will invest the money and energy needed in a product that won’t pay back the expense.
“They’re not getting enough money from the product to justify the expense of maintaining it. They hung in there on the possibility of getting a few billion out of Google and that’s not working. They should just sell it to Google. Google would probably be happy to get the IP,” he said.