sysCore ApS
Tel: +45 32 21 57 70
Fax: +45 69 66 33 66
Glostrup, Denmark

Quick Product & Service Guide
Competences | Services | AppHost | Clip-card support | B2B SHOP | Online Presence Pack | RFID | sysAlarms
Google Apps for Business | WADA-NET | CLUB-NET

HCORE Skræddersyet webløsninger
Vi er en del af H|CORE
Autoriseret UNI-TEL forhandler

Autoriseret forhandler
Autoriseret NAVICAT forhandler

Autoriseret forhandler
sysCore Aps supports Foundation INNOVARE
meetBSD logo
sysCore Aps supports meetBSD Conference

Building nationwide authentication scheme on top of Java

Java is indeed an enterprise technology. Solid, scalable, portable and recently… pretty buggy. Latest out-of-band patch released by Oracle (Java7Update11, security alert CVE-2013-0422) seems not enough.

Now comes the “funny bit”: all banks and public authorities in Denmark depend on NemID – authentication scheme powered by a Java applet. The only part in the Java ecosystem being vulnerable in this case (desktop and server apps are unaffected).

This is very unfortunate, because the nature of the exploit enables to gain full control over the computer in almost stealth mode. Many banks in Denmark have issued statements, that users should disable Java for all sites but the ones that rely on NemID for authentication (latest Java update allows to do that). Media have also covered the case pretty well. The question is – will this create enough pressure on Oracle to start seriously fixing Java? Rough estimates say, that fixing it might take as much as 2 years.

But what in the meantime? In case of Denmark this vulnerability is a gift for the dark characters, because every important service relies on it – that means most people have some version of Java installed.

To avoid problems make sure to:

  • immediately update to the most recent Java version
  • disable Java for sites that do not use NemID (this can be done in Java7Update11 and up)
  • use common sense and if unsure, click “No” when a prompt “Do you want to execute this applet” comes up

More about the vulnerability can be found on US-CERT:

Article in Danish from DK-CERT:

Posted in security | Tagged , , | Comments Off on Building nationwide authentication scheme on top of Java