Despite a flurry of recent updates to patch security holes in Oracle's (ORCL) Java software, many experts fear it's only a matter of time before the bug-prone product again exposes millions of computer users to possible cyberattacks.
"The state we're in now is pretty much a state of chaos,"said Andrew Storms of nCircle, an information security company based in San Francisco. "Nobody really seems to know are they vulnerable or not, and what should they do to make themselves not vulnerable."
Some experts question whether Oracle is up to the task of making the software secure. While it sounds willing to fix it, said Paul Ducklin of the security firm Sophos, "the credibility gap seems to be whether it will be capable of doing so."
Failing to correct Java's flaws could create huge problems. While many consumers only occasionally need the software when browsing websites, many businesses depend on it for payroll processing and other purposes. Plus, the vulnerabilities can make it easy for crooks to commit a variety of crimes, everything from stealing computer data to extortion.
Milton Smith, who leads Oracle's security for Java, recently acknowledged that the Redwood City corporation needs to bolster public confidence in the software. A couple of weeks after the Department of Homeland Security issued a warning Jan. 10 to disable the software in browsers unless "absolutely necessary," Smith told a Java users group that Oracle's plan "is to get Java fixed up, number one, and number two, to communicate our efforts widely."
However, when this newspaper sought to interview Oracle officials about Java's vulnerabilities -- primarily involving its use in website applications -- a company spokeswoman declined to comment.
Unrelated to Java- Script -- a similar programming language created by Netscape -- Java was developed in the early 1990s by Sun Microsystems, which Oracle bought in 2009. Designed to make it easy for other software programs to run on computers and websites, Java lets people play games and chat online, calculate their mortgage interest, make stock trades and view images in 3-D, among other things.
Although used only occasionally today by many computer users, Java continues to run on several billion devices, including personal computers, mobile devices, television sets, car navigation systems, lottery terminals, medical devices and parking-lot pay stations.
As far back as 2005, a study by Carnegie Mellon University's federally financed Software Engineering Institute concluded that "there are a number of Java features and facilities that an unwary user might not realize could compromise safety."
Since then, critics contend that Java has been poorly maintained by Oracle and over the past three years has had at least 90 security vulnerabilities of medium to high severity, according to a federal database that tracks such problems.
Those weaknesses have made it a juicy target for crooks, concluded Cisco Systems (CSCO)' latest annual report on cyber security. "With over 3 billion devices running Java," it said, "the technology represents a clear way for hackers to scale their attacks across multiple platforms."
In April the Polish firm Security Explorations reported finding a number of Java vulnerabilities. More turned up last month, prompting the federal warning. Three days later, Oracle issued a Java update to fix the problems. But shortly after that, Security Explorations said it found more vulnerabilities. Then on Feb. 1, Oracle issued another update with 50 additional patches.
The flaws are a major worry because experts say crooks already are exploiting them with so-called ransomware, which freezes computers with a pop-up message demanding money to let the victim regain use of the machine. The vulnerabilities also can let crooks infect computers with information-stealing malware, and experts have spotted notices that pop up on computers pretending to offer Java-security updates but that inject malware when clicked.
Following the federal warning, Mountain View-based Mozilla blocked Java on its Firefox browser unless a computer user clicked a feature to enable the software. However, it removed that feature on the Java version in question after Oracle's latest updates. Similarly, Apple (AAPL) -- which disabled Java in its Mac computers operating system after the warning -- has reinstated the software.
Proponents of Java insist it has many good features and that it's not the only software to have security holes. Over the past two months, the federal database has listed vulnerabilities in software from Cisco, Hewlett-Packard (HPQ), Apple, Google (GOOG), Mozilla and Adobe Systems (ADBE), among others.
Will Dormann, a Carnegie Mellon researcher who wrote the Java warning for the government, said the many flaws found in Java may partly stem from some security experts spending inordinate time scrutinizing it. He also noted that Java isn't the only software he's recommended disabling. He gave similar advice in December about Adobe's Macromedia Shockwave Player, which displays certain web content.
Even with Oracle's latest patches, he said it was unlikely the government would tell people "to turn it back on."
Crooks reportedly have been selling so-called exploit kits that enable other criminals to take advantage of Java's deficiencies. Some experts, including Jamie Blasco of the San Mateo security firm AlienVault, fear it's only a matter of time before more vulnerabilities turn up in Java.
To avoid that, Oracle must make a major investment to shore up the software, as other companies with vulnerabilities have done in the past, said H.D. Moore, chief security officer with Rapid7. Otherwise, "they will not be able to make Java safe for the web browser in today's environment."
Contact Steve Johnson at firstname.lastname@example.org or 408-920-5043. Follow him at Twitter.com/steveatmercnews.