Last year, developers at Google launched Operation Rosebud, an initiative designed to patch Java vulnerabilities in more than 2,600 open-source software builds, according to a company blog post. In the months since, the 50-member team has managed to stabilize a large number of projects and develop fixes for some particularly troublesome system weaknesses, including the well-known "Mad Gadget" vulnerability.
Addressing a key Java flaw
In January 2015, data security discovered that hackers could infiltrate Java applications via faults in the object serialization process, which leverages the Apache Commons Library, according to the Apache Software Foundation. Specifically, outside actors could intercede prior to the deserialization phase, leveraging readObject methods to plant infected bytecode or execute functions. Those in the development community nicknamed the flaw that facilitated this type of attack "Mad Gadget" and set about looking for solutions. Most discovered that common programming techniques exacerbated the issue, as coders relied heavily on the Java serialization. Some even initiated the process with untrusted peers.
In short, hackers could take advantage of these behaviors and easily wreak havoc on applications of all kinds.
Soon after the information technology firm Foxglove Security published a formal write-up detailing the intricacies of "Mad Gadget," networking and software giants like Adobe, Cisco, IBM, Intel and Oracle announced that they had encountered the vulnerability.
"Hackers can infiltrate Java applications via faults in the object serialization process."
In November last year, one hacker managed to conduct the biggest "Mad Gadget" strike to date, stalling the ticketing system for the San Francisco Municipal Railway. Officials at the agency allowed riders to travel for free and later managed to regain system control without paying the the infiltrator's $73,000 ransom. Still, the damage was done.
As the Muni hack unfolded, a team of 50 Google developers worked to address the destructive Java vulnerability. However, the group wasn't looking to develop and package a solution for enterprise use. Instead, the developers sought an easy-to-implement fix for open-source coders with projects utilizing the Apache Commons Library.
Operation Rosebud reached out to these developers on GitHub and offered patches. This involved addressing a massive number of programs, as many vulnerable open-source projects were based on previous creations that used the Apache Commons Library. The Operation Rosebud team made a copy of an internal tool called Rosie, which gives developers the power to make top-down changes to massive codebases, and used it to develop patches for disparate projects across the web.
The team also advised developers to switch to newer versions of the Apache Commons Library, as they do not contain the "Mad Gadget" vulnerability.
More Java threats on the horizon
While Google developers were able to mitigate the impact of one particularly powerful Java flaw, many more remain unaddressed. In fact, an estimated 97 percent of Java applications contain at least one serious vulnerability, according to a study from Veracode covered in Fortune.