Calls for Java overhaul grow as more security flaws emerge

News 21 Jan, 2013

Security experts suggest problems in the development cycle of Java could be to blame for recent security woes.

Oracle needs to urgently overhaul its Java software platform to eradicate the risk of further security problems coming to light that could pose a risk to users, it has been claimed.

The software giant has come under fire repeatedly over the last six months following the discovery of several security problems affecting the web browser-based versions of Java.

Oracle should just redesign Java from the ground up before everyone completely loses faith in it.

Earlier this month, Mac and PC users were encouraged to disable Java in their web browsers again after another zero-day vulnerability was found that could let hackers take over users' systems.

Oracle released an emergency patch last week to fix the problem, but security researchers claimed it failed to address several critical flaws.

The same researchers, headed up by Security Explorations’ Adam Gowdiak, announced the discovery of two further security vulnerabilities on Friday that affect the patch Oracle rolled out last week.

“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11,” said Java security researcher Gowdiak.

He said the flaws have been reported to Oracle, along with a working proof of concept code.

Further to this, it has also emerged that a flaw in Java MBeanInstantiator was also not addressed by last week’s patch.

This bug is what inspired Gowdiak to dig around and lead to the discovery of these two further vulnerabilities, he revealed.

Andrew Storms, director of security operations at compliance software firm nCircle, said the security problems that have recently blighted Java should prompt Oracle into overhauling the platform.

“Oracle should just redesign Java from the ground up before everyone completely loses faith in it and other Oracle products,” said Storms.

“Obviously, there’s something broken in Java development or design cycles. Oracle needs to wake up and get serious about secure software development, it’s not like there aren’t a lot of examples on how to do it right.”