Oracle's new Java defences already bypassed
Security Explorations researcher Adam Gowdiak says Oracle's new defences for Java applets have already failed and features designed to prevent silent exploits of Java vulnerabilities are easily bypassed. Gowdiak was responding to Oracle's latest attempt to manage the security flaws that are being exposed in Java.
Oracle's Java security lead took to the phones last week to say the company needed to explain what it had done to secure Java in the wake of vulnerabilities previously discovered by Gowdiak. One of the changes was the ability to set a security level to control the execution of unsigned Java Applets to Low, Medium, High or Very High. According to Oracle's documentation, the Low setting allowed unsigned applets to run, only prompting when a protected resource or old JRE was requested; Medium only ran applets if the version of Java was "considered secure"; High prompts before any unsigned Java applet runs; and, Very High should stop all unsigned applets running.
Gowdiak calls this "only a theory" and says that he has already developed a proof of concept applet which will successfully run on Windows systems with any of the Java applet security levels set. That includes the latest Java SE 7 Update 11 (1.7.0_11-b21) on Windows 7. Although there are few details, Gowdiak's track record to date suggests that his bypass should hold up to scrutiny. There is no suggestion of his technique having been observed in the wild. His advice for avoiding silent exploits is to enable the "Click to Play" technology for plugins that is implemented in Chrome and Firefox.
It does seem strange that Oracle's commitment to "fix Java" has not involved bringing third parties like Gowdiak onboard to at least verify their new security measures, but Oracle's handling of Java security issues has been far from confident. Along with the security issues with Java, Oracle's packaging of Java with third party applications such as the "Ask Toolbar" has been called into question because of the dubious tactics it uses.
Oracle allows the third party toolbar to hide for ten minutes after Java's installation before installing it in a practice described by one Java User Group leader as "squirrely". Such bundling does put many users off upgrading their Java installations for fear of getting unwanted software on their systems which in turn leaves those same users exposed to newly discovered security flaws in Java. In the call last week, Oracle was vague about why they continued to bundle such toolbars, claiming they inherited the practice from the Sun era and that there were contractual obligations to be considered. Even if Oracle manages to fix that, there is still the problem of the update process only checking occasionally and requiring the user to actively manage the installation.
The H continues to advise users to disable Java in their browsers. The most recent Java updates, Java 7 Update 10 and 11 include a switch in the Java Control Panel on Windows to disable Java in the browser. For other versions of Java and browsers: