Wednesday, September 26, 2012

Java: Unsafe At Any Version:
Sandboxing is essentially gone

According to the latest testing, there is no safe version of Java available. This affects Java versions 5, 6 and 7 in entirety. The latest version of Java from Apple, v1.6 update 35, is included.

The problem: Sandboxing in Java is no longer reliable. Methods of bypassing the sandbox are being consistently discovered. As a result, website malware applets are able to break through into victim's computers and zombie/bot/PWN them with the user's privileges. If the user is running as Administrator, the machine is entirely controlled.

Conclusion: Turn Java OFF when surfing the web.

I've covered how to turn Java off on OS X in previous posts. You can either:

1) Use the Java Preferences app in your Utilities folder, which is what I recommend.


2) Turn Java off within each individual web browser, which is better than nothing, but prone to user failure.

Only turn Java on when you have already gone to a trusted website that REQUIRES Java. Turn it off again BEFORE you leave that website.

Another approach is to use one specific browser, with Java turned on, for browsing ONLY trusted websites that require Java. Quit the browser before you leave those websites.


All of the recent Java sandbox vulnerabilities are being reported by a Polish software security firm named Security Explorations. Yesterday's Java vulnerability was announced at They provide a timeline of their vulnerability announcements HERE.


Below is a set of links to various articles describing the situation. This issue is best discussed via an interview with Security Explorations CEO Adam Gowdiak in an article by Darlene Storm of Computerworld, which I placed at the top of the list:


Oracle will begin this year's JavaOne 2012 conference on September 30th. That would be the soonest we would see another Java update. The next 'scheduled' update for Java is October 16th. Presumably Apple is poised to release the OS X rendition of that update soon thereafter. (Apple and Oracle have made the OS X JRE, Java Runtime Engine, an open source project).


If all of Security Exploration's reports are correct, I consider sandboxing in Java to be fundamentally broken and unreliable. That this has been the case way back to Java 1.5.x (aka 'Java 5') is a stunner. I haven't kept up with changes in Java over the past several years as I had given up on it as a superior programming language. Clearly, Java has fallen down on its fundamental security goals. I'm not sure it is ever going to get back up. Oracle has proven that they don't have the interest or stamina to provide Java with the serious attention it requires. As I've pointed out frequently, when a company creates a standard periodic security update schedule, you know they're not being realistic. This has been the case with Microsoft and Adobe for years and is repeating itself with Oracle.

I'm not ringing a death knell, but the situation does indicate that there must be a fundamental rewrite of the JRE foundation code for sandboxing. It's not working. It's time for Java 2.0.

No comments:

Post a Comment