Channels ▼

Eric Bruno

Dr. Dobb's Bloggers

Once Again: Java Vulnerability

January 21, 2013

In light of the recent set of vulnerabilities found within the Java SE 7 browser plugin, I've read stories and heard from people who are completely uninstalling Java from their computers. In my opinion, this is an over-reaction to an issue that affects only one thing: the Java plugin for the browser. This is used only to run Java Applets or Java WebStart to launch applications via the browser. Considering there are three other types of Java applications that are unaffected (Java Embedded applications, Java SE desktop applications, and Java EE web-based or enterprise applications), this is only a small portion of the Java world. On top of that, there honestly aren't many Java applets in use these days, so the need to use the Java plugin is minimal.

More Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>

To be clear, these specific vulnerabilities don't affect real-world server-side deployments (Java EE), or even Java SE desktop applications such as Eclipse or Netbeans, JavaFX, Swing, and so on. There really is no need to uninstall the JDK or JRE. Users need only disable the Java plugin in their browser.

One point I've been trying to make to friends and colleagues, beginning with the previous rash of vulnerabilities (see my previous blog), is that this is only an issue if the user browses to a malicious web site. Java or no Java, pointing your browser to a malicious web site is dangerous and leaves you vulnerable either way. You could raise the point that even a legitimate site can get hacked, and a Java zero-day attack launched from it. However, I would add that if a site got hacked, you're still open to vulnerability with or without the Java plugin enabled.

Oracle's Java SE 7 update 11, released to address this issue, included a description of the issue and resolution. In summary, the change included a control panel setting to block unsigned Java applets from running automatically. I've heard that only one of the two vulnerabilities discovered this week has really been patched, and I've also just read that an even newer vulnerability has been found. If this is true, it could spark a big change for the Java browser plugin design.

Either way, this doesn't mean that Java is an insecure language or platform, or that web sites built on Java EE are any less secure than other platforms. Unfortunately, perception often beats reality, and Java is getting a big black eye from this one. Hopefully Oracle can do more than just release updates to patch the vulnerabilities. They need to launch a campaign that explains the differences, as well as take steps to stop these vulnerabilities more effectively.

Happy Coding!
-EJB

Related Reading






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 


Video