Solutionary experts share some insight on Oracle's attempts to make Java more secure
Many Java vulnerabilities have been identified over the past few years and judging by the way things are going, many more will be discovered in the upcoming period.That’s why it’s worth taking a look at a brief report in which managed security services provider Solutionary highlights the evolution of Java flaws since 1996 and until present day.
According to the figures, between 1996 and up until 2005, there were less than 10 vulnerabilities reported each year. In 2005, there were over 10, and two years later, the 20 mark was crossed.
From there, it was all downhill – or uphill, depending on how you look at it. The record of over 70 vulnerabilities was set in 2009, but by the way things are going, 2013 looks “promising.”
In February 2013, the number of reported Java vulnerabilities was higher than in any single prior month.
In the post published on the company’s blog, Rob Jeffries, research analyst for Solutionary SERT, explains that the problems experienced by the platform are not necessarily caused by security flaws or fundamental design errors.
Instead, they’re more likely the result of Java’s growing popularity and the fact that the security community has become more aware of the situation.
“History will decide if flaws such as the ones we currently face become ‘textbook’ secure-coding lessons in the future, but this will do little for us today,” Jeffries explained in the post.
Over the past few months, Oracle has promised to work on improving Java security. But what do experts think about the progress so far?
“Going back to my 'textbook' comment in the blog post, and thinking back to when I first encountered Java, security of the JVM platform had more to do with securing memory management and source-code protection,” Jeffries told Softpedia in an email.
“I have to give Oracle a lot of credit for seeing the opportunity in supporting and furthering the vision of Java. Securing the platform while also making sure it does not break existing functionality is a challenge; it will not happen overnight and those attacking the platform know this.”
Jeffries believes that Oracle will patch vulnerabilities faster, eventually.
“This dynamic here can only be described as an 'arms-race'. When vulnerabilities are discovered, developers, administrators, security researchers and attackers all learn and share information about them,” the expert explained.
“Yes, I believe Oracle may eventually patch vulnerabilities faster, but getting ahead of the curve will require some fundamentals to be changed. A 'game-changer' if you will,” he added.
“As has been discussed in our recent Quarterly Threat Reports and annual Global Threat Intelligence Report, the larger problem right now, for Java users, is patch-management. The majority of vulnerabilities being leveraged by exploit kits today are between one and three years old. Why wait for a new vulnerability when old ones are still exploitable on countless system?”