How the Java Security Situation Quietly Got Much Worse

Critical developments in situations sometimes happen very quietly; so quietly that not many people notice at the time they happen. We’ve recently turned a bad corner like this in the Java security situation. And there’s every reason to believe that this worsened situation is here to stay, and likely to get even worse before it gets better.

The situation around security and Java has been bad since the start of the year and we’ve all known that. Oracle has acknowledged the gravity of the situation and committed to a Microsoft-style “security push”. That’s good and the right thing to do. But as I’ve said in my commentary on Oracle’s move, the Microsoft experience teaches us that these situations get worse before they get better. And now events are proving that assessment to be accurate.

There are two recent developments that show how this situation has permanently changed for the worse. We are seeing attacks targeting unpatched vulnerabilities in Java 6, a widely-deployed but no-longer supported version of Java. And we are seeing an increase in attack sophistication with attackers carrying out lower level attacks against the Java Native Layer. Taken together these developments tell us that the threat environment for Java has increased significantly in ways that are not easy to address.

Attacks against Unsupported Java 6

The recent attacks against vulnerabilities in Java 6 are a major, new development not only for Oracle but the industry as a whole. Oracle ended support for Java 6 in February 2013. With this deadline they stopped providing security fixes for Java 6. While a vendor ending support and no longer providing security fixes isn’t a new thing, the fact that more than 50% of users out there are still running Java 6 makes this an unprecedented situation. Even the retirement of previous versions of Microsoft Windows hasn’t seen support go away with 50% of users still on the unsupported version. This is a large pool of vulnerable users who will never be protected with security fixes and so viable targets for attack.

And now we are seeing the first instance of active attacks against this large pool of vulnerable targets. With the JAVA_EXPLOIT.ABC attack targeting CVE-2013-2463 we have a patched Java 7 vulnerability that’s unpatched on Java 6 and being attacked. While the attacks aren’t widespread yet, it has been incorporated into the Neutrino Exploit Kit which points to a high likelihood of increasing attacks against this vulnerability.

But this won’t be the last time we’ll face this situation. This is the first in what is sure to be an ongoing series of attacks against unpatched Java 6 vulnerabilities. As long as a sizeable pool of people stay on this unsupported version of Java attacks will be viable. And so attacks will be carried out.

Attacks against Java Native Layer

The other development, an increase in attacks against the Java Native Layer, makes this bad situation even worse. Increased attacks against the Java Native Layer indicate that attackers are getting more sophisticated in their ability to attack Java. Historically too, lower layer attacks tend to be harder to protect against and more serious in their impact on the target system.

Since we know Java 6 won’t be getting fixes for its vulnerabilities now the only means to protect Java 6 against attacks is to protect against the attacks themselves. But with the attacks getting more sophisticated that means protections against the attacks need to increase in sophistication as well. We can and will meet that challenge: but it only serves to make the Java 6 situation more difficult. And it indicates that Java 7, even though supported, is likely in for a rough time as well.

The increasing sophistication these attacks show tell us that attackers are becoming very familiar and comfortable with Java as a platform to attack. We saw this happen with Microsoft Windows and there we saw that meant the attackers were there for the long haul, using their increasing sophistication to match and undermine the security improvements the vendor made. Oracle’s security push will push the unsophisticated attackers off their platform, but the sophisticated attackers would seem to be settling in for the long haul.

Lessons for Today

The lessons for all of us of these developments are very clear. First, everyone should make a priority of being on the latest, supported version of Java. Second, those who have to run old unsupported versions for whatever reason should be sure to have good active protections against attacks. Third, Java (like all software on the Internet) should be used only an as needed basis: if you don’t need it, disable it.

But not everyone is going to be able to follow all or even any of those recommendations. Java is used on devices and in embedded systems in ways that mean we all have Java running in places we don’t know about and on systems we can’t update. This means we have to look to protect not just the devices but the network itself. Ironically, it gives a new, darker meaning to Sun Microsystems’ (the creator of Java) old marketing slogan “The Network is the computer."

The last lessons from the Java 6 situation are for the industry as a whole as we prepare for May 2014, the first month Microsoft will not provide security fixes for Windows XP. We can learn from how we deal with Java 6 ways to help deal with Windows XP’s retirement next year.

Of course, there is real concern that Java 6 and Windows XP together can help create a perfect storm of permanently vulnerable systems. It could be that next summer will be a bad one for us but a great one for cybercriminals if together these unsupported platforms provide a large pool of potential victims. It could be not just the Java situation that’s gotten worse, but the overall threat environment. We’ve taken our first steps into uncharted territory: it’s hard to know for sure how this will end.