Oracle doesn’t seem to be in the rush to address the vulnerability that affects Java SE 5, 6 and 7 (dubbed Issue 50) even after experts have demonstrated that it would only take 30 minutes or so to patch it up.
However, Security Explorations – the Polish firm that’s responsible for finding an impressive number of Java vulnerabilities in the past period – is determined to raise awareness, and educate users and vendors about the threats posed by such bugs.
The experts have an impressive history when it comes to finding security holes in Java Se implementations. They've reported a total of 31 issues to Oracle, 17 to IBM and 2 to Apple.
Now, to sum up what they’ve found over the past years, the company has released a technical report called “Security Vulnerabilities in Java SE.”
The report, along with the presentation for the talk given by Security Explorations CEO Adam Gowdiak at the Devoxx Java Community Conference in Antwerp, Belgium, on November 14, reveals some interesting facts about Java security.
For instance, the techniques utilized this year to bypass Java were actually discovered 7 years ago and reported to Sun Microsystems, but their details have never been published before.
Experts note that certain Java 7 features are less secure by design. Also, the latest version appears to be less secure than its predecessor.
Furthermore, what many users might not know is the fact that Java issues don’t affect only web browsers, but servers too.
Finally, the researchers highlight the fact that there are many cases in which vendors not only fail to follow their own secure coding guidelines, but they also fail to learn from past mistakes.
Design and implementation choices can negatively impact the security of a technology for many years and they could lead to numerous issues. And the most worrying fact about Java is that even small and potentially unimportant security bugs matter.
The technical report and the presentation are available here.