YAJE: Yet Another Java Exploit

Coffee_cupWhenever I install a new version of the Java Development Kit on a machine, I chuckle at the splash screen that boldly brags “Over 3 Billion Devices Run Java”. To me, that loosely translates to “Over 3 Billion Devices Can Be Easily Pwned by Mediocre Hacker Wannabes Pressing Pretty Buttons They Don’t Understand”.

An Information Week article last week summarized the most recent bad news surrounding Oracle’s much beleaguered language. Separate bugs have surfaced in Version 6 and Version 7 of the language. Oracle no longer supports Version 6, and so it no longer issues fixes for problems that arise. In fact, the last public release of Java Version 6 was Release 45, which Oracle issued in April, even after they officially retired the language in February.

It is not unreasonable for software companies to retire old products they no longer wish to support. There comes a point where it costs far too much for a company to pay software developers to fix old code that has long been replaced by different approaches the company feels increase the quality, stability, and security of the product. We explored this issue previously in regard to Windows XP and Microsoft’s pledge to retire it in April 2014. In fact, my own software company charges customers substantial fees to maintain older releases. Developers generally dislike working on old code, and the business has to recoup costs somehow.

Unfortunately, users often have their own ideas about whether old versions are still usable. In Java’s case, 47% of Java users still use Version 6 of the language. Perhaps this isn’t that surprising, considering there were 45 different releases of Version 6, and it was the version du jour for nearly three years. When a version sticks around that long, its staying power gives it an inertia the Earth itself can’t rival.

I don’t blame Oracle for resisting the pressure to patch the bugs in Version 6. Wait … yes I do. Oracle has been doing a terrible job maintaining the language and dealing with its problems since it acquired Java’s creator, Sun Microsystems, in 2010. Much of the reason there are so many users still using Java 6 is that the first versions of Java 7 had awful security and performance flaws. First impressions die slowly, if ever, and so many users never made the switch, justifying their Java luddite status as the more responsible tack to take. While that was true in late 2011, sticking with Java 6 today is only slightly more excusable than using Internet Explorer as your browser of choice.

The Java 7 bug the article describes is also a bad one, however: a compromise of Java’s security sandbox. It enables an attacker to gain access to the underlying file system through an applet that, according to Java’s security rules, isn’t supposed to have such access. At least Oracle will patch that one, since Java 7 is still maintained. In fact, Oracle is acting responsibly for a change in delaying the release of Java 8 while it attempts to beef up the security of Java 7.

If only Java’s users would be similarly responsible and finally put Java 6 out to pasture.

 

Ray Klump

About Ray Klump

Professor and chair of Mathematics and Computer Science Director, Master of Science in Information Security Lewis University http://online.lewisu.edu/ms-information-security.asp, http://online.lewisu.edu/resource/engineering-technology/articles.asp, http://cs.lewisu.edu. You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *