Calls for Java overhaul grow as more security flaws emerge

News
By
published

Security experts suggest problems in the development cycle of Java could be to blame for recent security woes.

Keyboard lock

Oracle needs to urgently overhaul its Java software platform to eradicate the risk of further security problems coming to light that could pose a risk to users, it has been claimed.

The software giant has come under fire repeatedly over the last six months following the discovery of several security problems affecting the web browser-based versions of Java.

Oracle should just redesign Java from the ground up before everyone completely loses faith in it.

Earlier this month, Mac and PC users were encouraged to disable Java in their web browsers again after another zero-day vulnerability was found that could let hackers take over users' systems.

Oracle released an emergency patch last week to fix the problem, but security researchers claimed it failed to address several critical flaws.

The same researchers, headed up by Security Explorations' Adam Gowdiak, announced the discovery of two further security vulnerabilities on Friday that affect the patch Oracle rolled out last week.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11," said Java security researcher Gowdiak.

He said the flaws have been reported to Oracle, along with a working proof of concept code.

Further to this, it has also emerged that a flaw in Java MBeanInstantiator was also not addressed by last week's patch.

This bug is what inspired Gowdiak to dig around and lead to the discovery of these two further vulnerabilities, he revealed.

Andrew Storms, director of security operations at compliance software firm nCircle, said the security problems that have recently blighted Java should prompt Oracle into overhauling the platform.

"Oracle should just redesign Java from the ground up before everyone completely loses faith in it and other Oracle products," said Storms.

"Obviously, there's something broken in Java development or design cycles. Oracle needs to wake up and get serious about secure software development, it's not like there aren't a lot of examples on how to do it right."

Caroline Donnelly
Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.