A recent conference call with Java’s head of security, Milton Smith, said the right things. As an organization it seems like Oracle finally realizes just what a problem they’ve got for themselves and that the road to cleaning up the mess is more than a single patch. Oracle is taking steps like automatically removing older versions of Java when you update to the latest, as reported in The Register. If one has a broken application, one of the most important steps is to get your customers down to fewer different versions. It is a painful process because there will often be short term customer attrition during that phase. Yet history has shown that this consolidation leads to better overall products and increased innovation.
Ezra F notes on his blog that the Department of Homeland security has recommended that everyone uninstall Java from laptops and desktop computers. Java applets have become a key vector for malware. Oracle seems to be struggling to correct these persistent problems.
The DHS recommendation is terrible. It replaces a known disruption vector with an unknown one. We can model malware out breaks and use quarantine and cleanup tools to manage them. It is expensive, but we have a pretty good idea of how expensive. Enterprises and ISP’s can do more with intrusion detection systems, firewalls and other security technologies to reduce these costs and the impacts of these outbreaks. Java isn’t the only vector for malware and if we do all remove it, hackers will find something else. The proposal to uninstall java on all PC’s immediately will not yield the desired security benefits and it brings in a lot of unknown costs to the system.
Java applets are all ubiquitous. Every enterprise is going to have to audit their web infrastructure and make sure that the technology delivered by applets is replaced or non-essential. What DHS is creating is a Y2K level effort with an immediate delivery delivery. It seems likely that most companies will be unable to comply with the recommendation. Furthermore the notion that consumers will be able to uninstall Java also seems unlikely. Java is hard to remove and easy to accidentally reinstall. For the reason a above, It seems to me that DHS’ suggestion fails as practical and useful advice.
This recommendation to just kill Java is a bit like the Lehman Brothers bankruptcy. It seems reasonable at first, but once the costs and consequences become clear we realize that we’ve just traded one mess for another even bigger one.
We know that Java is a vector for malware and that Oracle has been too slow to address these problems. Sun/Oracle got widespread acceptance of this technology based on promises about security and support.
I think DHS and other US government agencies such as the Federal Trade Commission and Department of Justice could do more to pressure Oracle to address the flaws in their product. Java was represented to partners and consumers as a secure and ubiquitous technology that enabled web developers to create rich web applications that ran on a number of platforms. Hundreds of billions of dollars of technology investments were made based on that assurance. If this was an aircraft, an automobile or other manufactured product we’d have congressional hearings and agencies lining up to investigate. Remember Toyota’s acceleration flaw a few years ago? This problem is at least at this magnitude and yet all we have DHS issuing a warning to consumers and seemingly taking no action to get the vendor to cleanup its mess.
I suppose one could argue that a car accelerating out of control is far more easy for voters to get upset about than a software security flaw. This reinforces my earlier point that most consumers will be unable to act in the proscribed manner and instead continue to have systems that are vulnerable.
Instead of just uninstalling Java, perhaps we are better off contacting offices of consumer affairs, members of congress and Oracle to get Java secured.