Java is one of the most widely used software around the world. Unfortunately, it has been under fire for containing too many security exploits and loopholes. The U.S. Department of Homeland Security recently advised users to disable it on their machines. To make things worse, yet another zero-day vulnerability has been discovered in Java.
Immediately after the Homeland Security’s suggestion, Oracle was quick to ship out a security update for the software. The update served to patch a number of security exploits in Java but still left many other issues unattended. The problem with Java is that for Oracle, the company that overlooks the development of Java, its security hasn’t exactly been a primary concern.
And so, over the years, the software has come to contain a rather alarmingly huge number of security flaws. This has now been made all the more obvious by the fact that within less than 24 hours of Oracle’s security update, the admin of an underground cybercrime group is offering to sell a new zero-day Java vulnerability. Any hacker who wanted to get it was asked to cough up $5,000.
This shows that Java is far from fully secure, even now. The update that Oracle dished out tried to eliminate a specific way of discovering the characteristics of classes on runtime. However, the company patched only one way of accomplishing this and hackers can as well come up with other ways to do the same, effectively circumventing the security.
Oracle did a rather impressive job with the update because its engineers were able to put it together within a week or so after the discovery of the specific vulnerability. But the big question is that will speed alone be enough for Oracle to effectively thwart security risks posed in Java? As per the members of the open-source community, the software will continue to be vulnerable and a security-risk because no Oracle personnel are fully equipped to tackle Java security on their own.
One proposed solution to tackle this, the open-source community members say, is for Oracle to start collaborating with the community members. This wouldn’t require the company to expend any additional resources but at the same time, it would bring more brilliant minds to the table to stay on top of the security aspect of the software.