Why is Oracle so slow?

[Casper Bang]

Forget about spending a decade debating closures - I'm talking about patching security holes here! The last couple of years, Java has become the predominant vector of attack, to the point that I recommend friends and family *not* to run it at all. Life is rarely that simple however, as i.e. the case with a Danish national SSO solution (taxes, banks etc.), for all practical purposes requiring applet functionality to be enabled for every citizen.

The latest vulnerability already seems to have the Poison Ivery trojan spreading all over. It seems however, we're far from zero-day vulnerability attacks, as these were brought to Oracle's attention some 4 months ago: http://www.security-explorations.com/en/SE-2012-01-press.html

I have now stitched together Chrome plugin to only allow certain trusted applets to run, but your average Joe don't have that option. There's still no fix available and that's just not good enough!

[Ryan Schipper]

Based on extensive experience in large organisations, the likely culprits are:

- Assessment and Prioritisation (anyone with visibility of Oracle's security team size and load, here?)

- Regression Testing

- Motivation ($$$)

To a lesser degree, their change control workflow could also be a barrier. Organisations generally  expediate security patches, but in the wrong (right?) environment, the end-to-end approvals process could still take a week. Fancy a visit to your local Change Advisory Board, anyone?

Frankly, 'Java' isn't really the problem - the problem is the prevalence of unpatched Java (and Flash and more generally, third party software) installations. 

The Australian DSD (our version of the NSA) indicated recently that 85% of the incidents they investigated could have been avoided through:

- effective patch management (3rd party and OS)

- applying the least-privilege principle

- implementing application whitelisting

See http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm for more details.

-- Skip

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.
To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/hJTW5OLDg6wJ.
To post to this group, send email to java...@googlegroups.com.
To unsubscribe from this group, send email to javaposse+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.

[Fabrizio Giudici]

On Thu, 30 Aug 2012 08:23:39 +0200, Ryan Schipper <psych...@gmail.com>
wrote:

> The Australian DSD (our version of the NSA) indicated recently that 85%
> of
> the incidents they investigated could have been avoided through:
> - effective patch management (3rd party and OS)
> - applying the least-privilege principle
> - implementing application whitelisting

I agree, but Casper has got a point in saying that *now* there's a
dangerous security hole for which there's no patch and thus the only
solution is to disable Java. It's obvious that this solution creates
problems to the reputation of Java. So I hope Oracle will release a fix in
a matter of *days*. At this point, one will be able to assert that the
responsibility has been shifted to people that don't apply the patch.

The only refinement to the original Casper's question is a comparative
one: is really Oracle slower than others? E.g. Apple in the past was
terribly slow in releasing patches and there were cases in which some big
security holes related to Java were exposed for a long time.

--
Fabrizio Giudici - Java Architect, Project Manager
Tidalwave s.a.s. - "We make Java work. Everywhere."
fabrizio...@tidalwave.it
http://tidalwave.it - http://fabriziogiudici.it

[Kevin Wright]

On 30 August 2012 08:32, Fabrizio Giudici <Fabrizio...@tidalwave.it> wrote:

On Thu, 30 Aug 2012 08:23:39 +0200, Ryan Schipper <psych...@gmail.com> wrote:

The Australian DSD (our version of the NSA) indicated recently that 85% of
the incidents they investigated could have been avoided through:
- effective patch management (3rd party and OS)
- applying the least-privilege principle
- implementing application whitelisting

I agree, but Casper has got a point in saying that *now* there's a dangerous security hole for which there's no patch and thus the only solution is to disable Java. It's obvious that this solution creates problems to the reputation of Java. So I hope Oracle will release a fix in a matter of *days*. At this point, one will be able to assert that the responsibility has been shifted to people that don't apply the patch.

The only refinement to the original Casper's question is a comparative one: is really Oracle slower than others? E.g. Apple in the past was terribly slow in releasing patches and there were cases in which some big security holes related to Java were exposed for a long time.

Isn't that a bit like saying: "Well okay, snails may seem slow, but you only think that because you haven't seen the sloth yet!".

Whether or not anyone else is (or was) just as slow (or slower) is irrelevant.  Oracle should be judged entirely on their own merits, or the lack thereof.  If you're going to compare them to anything, compare them to the speed of the hackers who'll be exploiting this bug.    

[Jess Holle]

I too love to gripe about big corporations of all stripes, but...

Just hold your horses just a bit longer here.

[Casper Bang]

On Thursday, August 30, 2012 1:07:43 PM UTC+2, JessHolle wrote:

I too love to gripe about big corporations of all stripes, but...

Just hold your horses just a bit longer here.

Usually I would, but 4 months seems long for such a serious bug that affects so many across language, culture and platform (we're likely talking > 100M installations). People are taught to stay up-to-date. However, in this case, running the top-notch JDK7 is less safe than running an older 6.0.

[Fabrizio Giudici]

On Thu, 30 Aug 2012 10:15:41 +0200, Kevin Wright
<kev.lee...@gmail.com> wrote:

> Isn't that a bit like saying: "Well okay, snails may seem slow, but you
> only think that because you haven't seen the sloth yet!".

Np, it isn't. My security is menaced by the slowness of Oracle as well as
of Apple and others, so things must be put in context. Furthermore, if
Oracle is the only one to be slow, one might think that it's their
specific faulty process. If
all manufacturers are slow, perhaps it's a inherent problem of technology
or such.

[Thomas Matthijs]

On Thu, Aug 30, 2012 at 1:28 PM, Fabrizio Giudici
<Fabrizio...@tidalwave.it> wrote:
> On Thu, 30 Aug 2012 10:15:41 +0200, Kevin Wright <kev.lee...@gmail.com>
> wrote:
>
>> Isn't that a bit like saying: "Well okay, snails may seem slow, but you
>> only think that because you haven't seen the sloth yet!".
>
>
> Np, it isn't. My security is menaced by the slowness of Oracle

I can walk up to your house, throw a brick at a glass surface and
steal everything you own. Please fix in 2 days.

[Fabrizio Giudici]

On Thu, 30 Aug 2012 13:33:22 +0200, Thomas Matthijs <li...@selckin.be>
wrote:

Well, no, you can't. I live at the 6th floor and I'd like really to see
you climbing on the wall :-)

[Ricky Clarkson]

New startup idea: installing elevators and staircases in Italy.

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To post to this group, send email to java...@googlegroups.com.

To unsubscribe from this group, send email to javaposse+unsubscribe@googlegroups.com.

[Fabrizio Giudici]

On Thu, 30 Aug 2012 13:53:40 +0200, Ricky Clarkson
<ricky.c...@gmail.com> wrote:

> New startup idea: installing elevators and staircases in Italy.

:-)

But you can't throw a brick at my windows from the elevator and
staircases. And my door is armored.

[Jess Holle]

Hmm....

I guess I'm slow here.  I only heard about the latest vulnerability on 8/26 or so.  I can't see anything indicating it was widely know prior to that.

I'm missing where the 4 months comes from on the latest issue.

Some vulnerabilities may have gone 4 months -- but some vulnerabilities are rather minor too.

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/SR1b9EJPtmoJ.

[Kevin Wright]

On 30 August 2012 12:28, Fabrizio Giudici <Fabrizio...@tidalwave.it> wrote:

On Thu, 30 Aug 2012 10:15:41 +0200, Kevin Wright <kev.lee...@gmail.com> wrote:

Isn't that a bit like saying: "Well okay, snails may seem slow, but you
only think that because you haven't seen the sloth yet!".

Np, it isn't. My security is menaced by the slowness of Oracle as well as of Apple and others, so things must be put in context. Furthermore, if Oracle is the only one to be slow, one might think that it's their specific faulty process. If
all manufacturers are slow, perhaps it's a inherent problem of technology or such.

I think you misunderstood.  I was just claiming that Oracle can still be called slow, even if someone else is slower.

All of our security is at risk and I firmly believe that it's because Oracle are sucking up to the investment banks with their firewalls and adversity to change, instead of considering the millions of non-bank Java users.

[Fabrizio Giudici]

On Thu, 30 Aug 2012 14:47:59 +0200, Kevin Wright
<kev.lee...@gmail.com> wrote:

> On 30 August 2012 12:28, Fabrizio Giudici
> <Fabrizio...@tidalwave.it>wrote:

> I think you misunderstood. I was just claiming that Oracle can still be
> called slow, even if someone else is slower.
>
> All of our security is at risk and I firmly believe that it's because
> Oracle are sucking up to the investment banks with their firewalls and
> adversity to change, instead of considering the millions of non-bank Java
> users.

I think that you misunderstood me :-) I'm not denying that Oracle is slow.
I'm saying that, at least, Apple is slow too. I'd like to know about other
players, and understand whether Oracle is slower than others or not.

[Ryan Schipper]

It is an inherent problem of the software industry.

Secure software costs increasingly more money for decreasingly tangible benefit.  Security is (more often than not) secondary to functionality, profit and time to market.

Ask your mum/sister/brother/uncle/neighbor if they want 'the Internet' to be secure. Ask them how much more they want to pay for that security.

Compare the amount of money people are willing to pay for security with the amount of profit a malware author will make by writing an exploit.

There's your metric.

On Thursday, August 30, 2012, Fabrizio Giudici wrote:

On Thu, 30 Aug 2012 10:15:41 +0200, Kevin Wright <kev.lee...@gmail.com> wrote:

Isn't that a bit like saying: "Well okay, snails may seem slow, but you
only think that because you haven't seen the sloth yet!".

Np, it isn't. My security is menaced by the slowness of Oracle as well as of Apple and others, so things must be put in context. Furthermore, if Oracle is the only one to be slow, one might think that it's their specific faulty process. If
all manufacturers are slow, perhaps it's a inherent problem of technology or such.

[Casper Bang]

On Thursday, August 30, 2012 2:26:11 PM UTC+2, JessHolle wrote:

Hmm....

I guess I'm slow here.  I only heard about the latest vulnerability on 8/26 or so.  I can't see anything indicating it was widely know prior to that.

I'm missing where the 4 months comes from on the latest issue.

Some vulnerabilities may have gone 4 months -- but some vulnerabilities are rather minor too.

There's a high-level report about it at arstechnica: 

http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/

If it already made it into malware kits, works on all platforms, and considering there are 100M installations vulnerable - then it's very serious issue for Oracle and Java's rep.

[Jess Holle]

Ah...

I'd missed that article.

Yes, that is rather reprehensible!

[I'd assumed the flaw was either newly discovered or hadn't been privately known that long.]

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/pJEOBz0seS8J.

[Puybaret]

The most weird thing is that Oracle didn't communicate on its web site about his issue yet. :-(

Do they want to kill Applets and JWS or what?

[Joseph Darcy]

For the official response about CVE-2012-4681 see:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

New releases available for download:
7u7: http://jre.us.oracle.com/java/re/jdk/7u7/promoted/fcs/b10/bundles/
6u35: http://jre.us.oracle.com/java/re/jdk/6u35/promoted/fcs/b10/bundles/

> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/javaposse/-/Hd0qa0F-uyAJ.

[Joseph Darcy]

Correct download links for new releases:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

[phil swenson]

That's a great solution.  Kill Applets/JWS.  Maybe they could put those resources into something useful.  They lost the UI wars (esp in the browser) many years ago.

On Thu, Aug 30, 2012 at 12:33 PM, Puybaret <puyb...@eteks.com> wrote:

The most weird thing is that Oracle didn't communicate on its web site about his issue yet. :-(

Do they want to kill Applets and JWS or what?

--

You received this message because you are subscribed to the Google Groups "Java Posse" group.

[Jon Kiparsky]

I thought applets had died out years ago...

[Ricky Clarkson]

Cisco uses applets to get a VPN client onto your machine.  I enjoy playing an online pool game that's an applet (http://www.funkypool.com , also http://www.funkysnooker.com).  My old company in the UK continues to use a Java applet with C library support (hence signed) to display video from live security cameras.

Other than isolated cases I'm sure it's disappearing in favour of HTML5.  If we could have proper OS-level sandboxing so that a Windows user could download an .exe, .jar, etc., knowing that the program could only access what it's given permission to, I think we could see a resurgence in desktop apps, especially given their simpler programming model.  Not necessarily applets, just desktop apps.

Android and iPhone do this and people have little problem downloading an app; I hope desktop OSs catch up.

[Casper Bang]

Very good news! I hope automatic updates soon will render the security issue moot for the general public.

[Fabrizio Giudici]

On Fri, 31 Aug 2012 10:20:10 +0200, Casper Bang <caspe...@gmail.com>
wrote:

> Very good news! I hope automatic updates soon will render the security
> issue moot for the general public.

So in the end Oracle wasn't so slow this time, right? :-)

[Ricky Clarkson]

If automatic updates haven't already been turned off, sure.  My company somehow blocked applets temporarily and advised those with admin rights to disable automatic updates for now.

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/W7ghsPQXMzgJ.

[Ben Smith-Mannschott]

On Fri, Aug 31, 2012 at 10:37 AM, Fabrizio Giudici
<Fabrizio...@tidalwave.it> wrote:
> On Fri, 31 Aug 2012 10:20:10 +0200, Casper Bang <caspe...@gmail.com>
> wrote:
>
>> Very good news! I hope automatic updates soon will render the security
>> issue moot for the general public.
>
>
> So in the end Oracle wasn't so slow this time, right? :-)
>

Yea... sure, after doing nothing for four months, they sure hurried in
the last four days.

:-/

// Ben

[Casper Bang]

On Friday, August 31, 2012 10:37:34 AM UTC+2, fabrizio.giudici wrote:

So in the end Oracle wasn't so slow this time, right? :-) 

Nope, in an isolated context, it doesn't look too bad:

22/8 - Symantec and other security companies starts to see the major culprit CVE-2012-4681 being utilized in the wild:

http://www.symantec.com/connect/blogs/new-java-zero-day-vulnerability-cve-2012-4681

26/8 - FireEye is first to go public with the report of CVE-2012-4681:

http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html

27/8 - The issues becomes *very* public and various combinations makes it into malware kits:

http://pastie.org/4594319

28/8 - Makes less than positive public headlines all over the world:

http://www.f-secure.com/weblog/archives/00002413.html

30/8 - Oracle patches several security holes out-of-band, most of which were probably in the pipeline for October.

In the grand scheme of things, it's an unfortunate fact that Java has risen to become the single biggest vector of attack. Deserved or not, these last incidences certainly don't do much to try to turn this reputation around.

Oracle was originally made exclusively aware of some 19+ identified weaknesses by a security research company, back in April. Oracle pushes security updates out 3 times a year, but for some reason Oracle only fixed 3 of these issues in their June update:

https://www.pcworld.com/businesscenter/article/261612/oracle_knew_about_currently_exploited_java_vulnerabilities_for_months_researcher_says.html

Something must have gone wrong at the triage step, for so many vulnerabilities to be dismissed initially, only to later be combined into various severe zero-day attacks. Especially considering that, by Oracle's own records, the JRE is installed on some 3bn machines world-wide. Perhaps Oracle should revise their triage-policy and/or update-strategy if it wants to stay relevant as a desktop technology.

[Fabrizio Giudici]

You're right, I've just read this:

http://arstechnica.com/security/2012/08/critical-java-bugs-reported-4-months-ago/

[Ryan Schipper]

The same team that reported these issues ( http://www.security-explorations.com/ ) has just notified Oracle of another security issue resulting in full sandbox escaping.

Let the games continue.

--
You received this message because you are subscribed to the Google Groups "Java Posse" group.

[Jim Cheesman]

They're still used for things like browser-based digital signing, at least here in Spain. The official ID card (which everyone over 16 is legally obliged to possess) includes a digital certificate (actually 2) for access to government services online. This is commonly implemented using a Java applet. (OK, the access doesn't require an applet, but signing any official request does.)

[Casper Bang]

Unfortunately the same applies in Denmark, where it's needed even to log in. To make things worse, its primary purpose seems to be to be able to bootstrap unknown lazily-loaded code and use JNI to launch native stuff. *Head down in embarrassment*

[Ryan Schipper]

Java applets are also used in Australia to access the Tax Office and other departments online services using digital certificates.

I worked in the responsible team for 5 years. For obvious reasons I can't discuss in detail. That said, its hard to refute that implementing a single Java applet is a lot more cost effective than developing and maintaining native add-ons (or plugins) for two platforms and six different browsers.

As far as I know, the EcmaScript standard doesn't define an interface for x.509 / pkcs#11. If it did, there would be significantly fewer applets in the world. Mind you, people would then ring up and complain when their key store doesn't persist between browsers (due to a lack of CAPI / Keychain integration). 

=)

To view this discussion on the web visit https://groups.google.com/d/msg/javaposse/-/TO_UlkRyrDEJ.

[Fabrizio Giudici]

Back to the original topic, there's a claim that a Java vulnerability has
been used to attack a FBI agent's computer and steal some sensitive data:

http://www.informationweek.com/security/attacks/antisec-hackers-post-1-million-apple-dev/240006696


Not all details are clear, though.

[Kevin Wright]

EcmaScript might not, but I'm pretty sure that HTTP does.  Is there a browser/OS combo out there nowadays that WON'T offer to install a certificate in a well-known format?  Even cUrl has certificate support.

Personally, I think that web devs should be legally obliged to download at least 10% of their content using cUrl.  We'd lose the most painful redirect chains in a week, and halve the burden on mobile broadband networks as a result (yes, t.co and bit.ly, I'm looking straight at you!)

[Ryan Schipper]

This isn't the forum for a full blown discussion of the financial, policy and legal reasons that SSL is not appropriate. Off the top of my  head, consider:

- does SSL support transaction signing or granular encryption?
- The technical and support implications of end user key generation requirements
- accountability for a single credential which can be installed on more than one computer
- support for password caching and it's effect on non-repudiation

[Mark Derricutt]

And afaik it not only affects applets.  If my understanding is correct, this should be able to be exploited by ANYONE who allows third party code to run in their JVM - think hosting providers, postgresql servers with pljava as a stored procedure language, cloud providers…..

[Jim Cheesman]

One thing's installing a cert or validating a client (HTTPS with client auth), another thing is in-browser signing. In this second case HTTP plays no part (beyond transmitting the signed document to the server, of course).

Interestingly, and on-topic, the latest podcast mentioned that the new JDK8 spec includes PKCS#11, which would presumably help with cross-browser applet implementation problems.