Quick note on the state of Java
By now, you might have heard about the security bug that is affecting Java. If you’ve been living under a rock or if you just returned from a trip to Mars, here’s a short run-down to help you understand what I’ll be talking about next.
There is a serious bug in Java 1.7 that also affects the very last version available on the market (Update 10, that is). To add insult to injury, the exploitation code has made it into world’s most popular attack toolkits, including the Metasploit, and fully documented proof of concept also leaked on Pastebin.
For those outside the security industry, I should also mention that catching exploits is something MOST anti-viruses are not ready for. Without any official resolution to the issue and with people surfing the web without proper AV protection, one would expect things to escalate quickly.
I had the opportunity to talk about this with John Mello in an interview for PC World. After going through the issue, when asked about what solution I see to this, I replied frankly that maybe Oracle should consider rewriting some core components of the Java VM. Mark my words, it was never about fully re-writing Java, I know what that involves – it’s just a rewrite of a pestering API that has caused tens of incidents in less than one year.
At this point, me and most security researchers in the world recommend one thing to avoid getting infected: disabling Java or wiping it off the PC immediately. That’s even the official recommendation of the company that builds it. Yes, it’s that serious. It’s a normal thing since roughly 100 million PCs run Java 1.7 and there is simply no fix to stop an attack against your machine. Thing is that me and these guys I mentioned have made the same recommendation throughout 2011 and 2012. Actually, I think that we recommended to turn off Java for so long that one could hardly use it in the past two years. All this because of the security flaws that involved huge risks for users.
Don’t get me wrong, I love Java. I consider it to be the best thing when you have to address a heterogeneous mass of computer users, be they running OS X, Linux, Android, or Windows. Hell, it even works on cars, TV-sets and I bet that it could be made to run on a potato, literally. It has the power of C++, the verbosity of C# and the ease of use in multiple environments that competes with Python, for instance. It’s great. But we started to fear it, and this is not good.
The interview sparked an intense debate on Reddit about my suggestion to rewrite some core components. I know this sounds utopical, I admitted it long before readers got their hands on the article. It reads “Oracle isn’t open to making major changes because they could break applications already in the market”. Rewriting java from scratch is an impossible task. It would take years and nothing that has been designed in Java would work again.
But rewriting core components of specific APIs should be no issue. I saw references to Joel Spolsky’s „Things Not to Do” series. I’ve been coding since 1994, since I was 11, although I’ve never made a living off it. I know how complex can code grow and I’ve seen great projects become an utter mess just because they passed through multiple teams of coders that have been cyclically employed and then discharged.
Code has a personality of its own and grows proportionally complex as it gets new features. I, for one, tend to rewrite an application every once in a while because it becomes so complex in time, that I save more by re-engineering it than by trying to comprehend what I wrote aeons ago. Plus that the quality of my code improves year-by-year. That’s probably what happened with the multitude of teams that worked on the project, especially following Java’s transition from Sun to Oracle.
I’m not talking about rewriting Java, I never did, because it would probably be easier to migrate to a different programming language than building a brand-new version of a product. I’m just hinting at rewriting and sanitising a piece of code that has constantly kept Java as per the recommendations of the security industry, namely DISABLED.
Yes, there may be risks. Some things may get broken in transition, but nobody will be forced to update / upgrade. There should be, however, a safe alternative on which corporate users whose security is priceless to be able to build their updated applications.
Yes, it may take a while to deploy applications, but this is how the software industry works. In a similar way, you can stick with the antique Windows XP if you don’t want to break compatibility with your apps, but at the same time, you have a decent option of migrating to Windows 8 for extra safety at the cost of having some of your applications inoperable until their update.
Yes, it’s costly. Yes, it’s messy and confusing. Yes, it’s against the principles of commercial software. But we’re talking of software that powers three billion devices worldwide, some of them belonging to your acquaintances, family or close friends. Some others are purely powering your business.
All of them are important for you, one way or another. So, first and foremost, we need to ensure that it is secure. And if it’s not, we should think first on how to make it so, or otherwise, we risk to have a great piece of technology that stays disabled at all times because Joel’s rules do not allow us to fix it.
Subscribe to Lex Talionis
Get the latest posts delivered right to your inbox