Why fixing the Java flaw will take so long

Oracle isn't saying much, but the OpenJDK community has provided InfoWorld with a complete analysis -- and a critique of Oracle's patch

Page 2 of 2

Solution critique
It's that cascade of subtly interacting subsystems that worries security researchers so much. The problems seems to be less a defect in a single subsystem and more a consequence of the interaction of apparently correct subsystems.

While Oracle's quick fix appears to have broken the exploit chain in this instance, researchers fear that building another chain could be possible -- and may already have happened within the shadows of the black-hat cracker community. They fear that no single developer has the overall knowledge of all of the subsystems involved to safely create a rapid fix, so it will take a process of experimentation stretching over many months to work out what must be re-engineered to make new exploit chains impossible. Oracle seems to agree: It has set the default security level in Java to "high," just in case.

The security researchers were at pains to point out that the same cascade of complex interactions could affect any runtime model using a rich programming interface protected by a sandbox -- a model common to Android, Flash, .Net, and other runtimes.

How could the situation be improved? I was told that Oracle's secrecy does not help. Just as I was unable to get anyone to explain the issue to me, so Oracle refuses to collaborate over security issues with community members -- as the MySQL community also discovered. One community member told me: "I think people are dissuaded from posting or working on such patches since it is so clear Oracle has a policy to not talk about bugs/patches when they are marked as 'security issues.'"

One benefit of open source is Eric Raymond's observation that "many eyes make all bugs shallow." Perhaps if that all-seeing community of development experts was better leveraged, this issue could be addressed sooner than the "six months to two years" some are predicting.

This story, "Why fixing the Java flaw will take so long," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

| 1 2 Page 2