Companies can work as hard as they want to protect Internet security, but outside flaws from programs could break even the best laid plans. This is one issue companies need to look at with Oracle Corporation’s Java software, which was shown to have a flaw that caught the attention of the Department of Homeland Security after a pattern of many problems over the years. Fox News said there was an advisory from DHS to temporarily disable Java on their computers in an effort to avoid hacking attacks and exploits, as there is a flaw in Java that would allow for criminal attacks.
The website said the patch that was released to fix the security holes on the company’s site, but researchers don’t believe that the fix is what it needs to be. Adam Gowdiak, a researcher with Poland’s Security Explorations, told Reuters that there are several issues that remain even with the fix in place. He said he wouldn’t dare to tell users to enable Java again, as many others have told businesses to completely disable Java for good.
Esteban Guillardoy, a security researcher with Immunity, said that the update did patch the recursive reflection vulnerability but didn’t do all that it could have done to make things right.
“An attacker with enough knowledge of the Java code base and the help of another zero-day bug to replace the one fixed can easily continue compromising users. (Assuming they now use a signed Java applet—one of the other changes introduced in this patch.),” he wrote on his blog.
Changes must be made
H.D. Moore, chief security officer of Rapid7, told eWeek that there is no doubt the patch was incomplete, as it was released under duress and needed to fix multiple Java vulnerabilities at once. He believes that the company is likely working hard to put together a new fix to complete the patch.
There might be more that needs to be done, as Moore said the era has changed and the java security model hasn’t kept up with how browser-based attacks work, according to the website.
“Notwithstanding sandbox escapes, the capabilities available to a Java applet still exceed what comparable plugin technologies allow,” Moore said. “Java has a ridiculous amount of functionality and has to contend with backwards compatibility issues to boot. The recent vulnerability involving the JMXBeanServer class is a great example of a Java applet being able to access a class it really has no business using in the first place.”
Security News from SimplySecurity.com by Trend Micro.