Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Is Java now too dangerous to use?

Java is under fire once again. So why is everyone worried this time?

Article comments

Java, the great enabler of useful applications or a waste of space that is doing more harm than good? After the last few weeks this has become a question worthy of a philosophy lecture.

First in late August came news of two serious zero day Java vulnerabilities (CVE-2012-4681), with plenty of evidence that criminals were exploiting them in a big enough way to pose serious questions over Java's continued use.

Oracle patched the flaw in an out-of-band release but according to Polish security firm Security Explorations, the company had been told about the issue months before and had apparently not acted.

Adding a note of the absurd, not long after the fix had appeared, the Poles said they’d found a vulnerability in the patch of the zero day, a way for code to beat the software's security blanket sandbox.

So, a serious flaw allegedly known about for months, only patched once exploits had started appearing. And then this patch immediately turns out to have a security a sandbox-busting flaw of its own.

Should consumers and businesses keep Java on their desktops? In both cases the answer is a 'yes' but only if it is actually required.

Java myth number 1 – I need Java on my computer just in case

For businesses, working out whether the Java runtime environment (JRE) is needed is fairly straightforward and the answer sis usually ‘yes’.  Presumably admins wouldn’t allow Java on desktops if it wasn’t there for a reason and that will often be tied to a specific version. In the case of consumers, many probably won’t need Java but will have it on their computers whether they know it or not. Many retail PCs simply include it by default.

The JRE is still necessary for a clutch of games that work as applets not to mention Google’s heavy and contentious use of the software inside Android but otherwise its popularity is waning. Bear in mind that Java installs on the PC but can be enabled or disabled inside browsers too.

You can test whether Java is enabled and which version is being used by visiting this site.

Myth number 2 – JavaScript is Java

Wrong. Beyond the use of the word ‘”java” the two are unconnected. JavaScript was invented by Brendan Eich in 1995 while working for Netscape, who took his belief in the usefulness of his scripting interface to make browsers and websites more interactive when he became Mozilla’s CTO at the time of its founding in 2003. As they say, the rest is Wikipedia.

Microsoft’s adoption of its own non-standard version, JScript, caused serious unhappiness that it was hijacking a good open source idea for its own ends, but that's an aside.

Myth number 3 – old versions are harmless

That’s another thing about Java. Even when security updates are available and users take the time to download them, many forget to de-install old versions.

As Oracle itself said in May, "Keeping old and unsupported versions of Java on your system presents a serious security risk." The company helpfully tells people how to do this and it’s incredibly simple as long as you remember to do it and know that it’s necessary in the first place.

You’d wager most computer users don’t know that this is important and have better things to do with their time in any case.

So why doesn’t Oracle delete old versions when installing newer ones? Because old versions might conceivably be used by some applications and so they can’t. If such apps are encountered on a machine cleansed of old versions, Oracle keeps an archive of should they be required.

A good tip is to make sure that new versions of Java are downloading automatically (they should be by default) and that the system checks for new verisons often enough (the default is once a month, probably not frequent enough). In Windows run the Java app from Control Panel and click in the Update/advanced tab and set to ‘once a week.’

Myth 4 - Java vulnerabilities are a Windows problem

Java flaws can affect all platforms on which the runtime is present, including Apple and Linux. This doesn’t mean that every Java flaw affects these platforms equally. The overwhelming bulk of malware exploiting Java flaws targets Windows users, that is it attempts to open a back door into which will rush a Windows-specific payload.

But the Flashback Trojan from earlier this year proved that Mac users are not immune from nefarious Java if the malware writers become interested enough. That involved a Java flaw (CVE-2012-0507) that had to be patched by Apple itself. In other words, Apple users face two layers of dependency, that of Oracle (which issues the update) and Apple (which actually issues it as part of its security cycle).

Myth five – Oracle will protect me

If it turns out to be true that Oracle has been unresponsive to vulnerability reports for months, that belief goes out of the window. Malware writers have been hunting in the Java space for some years and there is no sign that matters are improving. Watch this space.


Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *