Jan 22, 2013

Why are there so many issues with Java?

It seems that whenever there is a zero day vulnerability, there is a better than even chance that it will have something to do with Java. What is it about Java that makes it so prone to security threats? Oracle isn't exactly some start-up operating out of a garage, you would think they would have this Java thing figured out by now.


Hello Friends,

Java is a popular programming language that is used to develop games, applications, and utilities  that are found on the Internet, cell phones, and other digital devices. There are thousands of other programming languages out there, such as C, C++, HTML, ColdFusion, Python, Flash, PHP, Visual Basic, and more, but Java has gained popularity in the last few years because it will work on many different kinds of computers.
The same reason that there are frequent updates for the Flash player. Because these applications are installed on so many computers around the world, and because they are cross-platform, they are extremely vulnerable to security risks. They are frequently targeted by hackers and other cyber criminals, so Sun Microsystems is constantly trying to stay one step ahead of the bad guys.

Thanks and Regards,
Agili Ron



Well with most all applications in the world running on JAVA there are inevitably going to be problems that arise. So folks go ahead and disable Java in your browsers and while your at it throw your cell phones, PDA's and all the other " fun things " you have at your disposal away. This includes your XBOX 360 and your playstations that are running all those "cool games that include Java libraries that you know nothing about.  Yes, trash the cable TV box too flawed Java is what brings all those channels to you in HD.


And while your at it get rid of that internet router. It also runs on Java. Oh yea you will also need to close that bank account. Most banking applications run on Java also. You will also need to get rid of that debit and credit card, Java reads it when you swipe. 



Alas, now you can pitch your tent and go to the woods. That is what you will have left. Of course, then you will be vunerable to bear and the like. 


But yea, Oracle knows nothing about JAVA technology, right?


While I think you make a good point about the prevalence of Java, you are comparing apples (small A) and oranges a little. Java running in a browser is not the same thing as Javascript or Java Card. Also, while the Android SDK uses Java, so apps are written in Java, the phone itself is using Dalvik instead of Java Virtual Machine, and is not vulnerable in the same way as a machine with Java SE 7 running in the browser.  I agree with you that Java is widely used, and is widely useful. However, in the context of use in a browser, which I inferred from the original question because of the use of the term "zero day vulnerability" and the well publicized security weaknesses of Java SE 7 the picture is not so rosy, and there is little compelling reason to continue to use it.  

There is no reason to insult people. First of all knowing a technology does not imply being infallible. Besides Java was not invented by Oracle it was invented by Sun and it was done a while ago. People leave companies and as original architects are replaced by new engineers the shine wears out. Add to it push by marketing for ever changing sets of features and you get a mess often resulting in frequent updates. Frequent updates may also well be a sign of bad design; poor QA or other problems. It is perfectly reasonable to not want to constantly be bothered by update popups. Not realizing that is another sign of poor business practices. When people complain a well run business listens instead of going into denial. The same problem is present in Firefox and many other bloated software.I dare say that avoding higly vulrenable software is the opposite of pitching a tent in the woods. It is more like setting up the city walls. Maybe it will limit contact but it will also reduce the chance of invasion.
Here's an article that explains how to disable Java altogether. Probably a good idea for most people.

Java is Insecure and Awful, It’s Time to Disable It, and Here’s How

"As usual, there’s yet another security hole in the Java Runtime Environment, and if you don’t disable your Java plugin, you’re at risk for being infected with malware. Here’s how to do it.

Security holes are nothing new, but in this case, the security hole is really bad, and there’s no telling when Oracle will get around to fixing the problem. Plus, how often do you really need Java while browsing the web? Why keep it around?"

The way Java is constructed includes what they call the "Security Manager", which is intended to restrict applications to running in the Java sandbox. This is a major part of the problem, somewhat ironically, because Security Manager has a number of interconnected subsystems that have repeatedly allowed exploits to bypass it and gain access to the machine running Java. The issue, or at least part of it, is the way that all of the subsystems interact make it much harder to correct than it would be to fix a single flaw, partially because of unintended consequences that can result in changes made to one subsystem to fix one flaw may open up a new potential exploit through a different subsystem. Also Oracle doesn't play well with others, and won't work with people outside of the company to attack flaws, so they do everything in a bit of a vacuum.


I am so sick of Oracle trying to install unwanted junk like tool bars and add-on with every update that I'm done with Java anyway. I really, really don't want an Ask Toolbar, and I don't want to have it installed by default unless I opt-out EVERY SINGLE UPDATE! Grrrrrrrrr! Ars has a harsh article on this very topic today, in fact. 

Answer this