Oracle has released an emergency software patch intended to fix a critical vulnerability in its Java browser plugin. All the same, the Department of Homeland Security (DHS) is still advising users to dump Java into the sink by disabling it on their browsers.
The underlying lesson is one that we have noted here at GRT Corp. all too often before. And we will probably continue to say it: You can't rely on vendors, even leading vendors, to ensure the security of their offerings.
In early January the DHS Computer Emergency Readiness Team put out an advisory recommending that users disable the Java cross-platform plugin on their systems. As reported by Steven Musil at CNET, the action was taken in response to a critical vulnerability in the Java plugin that would allow a remote attacker to execute code Java code through the plugin. The vulnerability would be triggered if the computer visited a website containing malicious code that enabled the breach.
This vulnerability is not inherent in the Java computer language as such, but in the implementation of the language provided by Oracle as a plugin for major browsers. (It should also be noted that the vulnerability is completely unrelated to JavaScript or any JavaScript plugins.)
According to the DHS announcement, "this and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered."
An independent security specialist firm, Immunity, noted that Oracle's emergency patch blocked one particular exploit, but still left related vulnerabilities open to sophisticated Java attackers.
The Homeland Security advisory is only the latest security blow suffered by Java during the past year. Many security experts were already advising users to disable the Java plugin, which relatively few Web applications require.
Security vulnerabilities in vendor software, however, are hardly unique to Java or Oracle. Rarely does a week go by without some major vendor acknowledging a critical vulnerability, and releasing a patch to plug it. These patches should be installed promptly.
But "zero-day" exploits – unknown to vendors, and therefore unpatched – are a fact of life in the commercial software world. According to many observers, enterprise software is even more vulnerable than consumer releases. The enterprise solutions are often more complex, and in a limited market are liable to be less fully tested.
