What's wrong with Java?

In light of numerous security scares, Davey Winder questions what's wrong with Java and whether it still has a place in the enterprise?

He added: "What recent experiences may do is accelerate the use of more advanced browser-based UI technologies, such as HTML5, but will not affect Java as many companies' server platform of choice for enterprise applications."

Indeed, as most enterprise use requires the Java platform to be deployed but not the plugin it's perfectly feasible to do so safely by disabling the 'Enable Java content in the browser' option by running the installer with a command line option of WEB_JAVA=0. 

Bearing in mind all that I've covered so far, the thing that was really nagging at me and that I wanted to get to the bottom of was whether Java is therefore inherently and programmatically insecure.

Bad to the bone?

Putting the question to the security and development community proved to be something of a schizophrenic experience, with opinion being fairly evenly split between the yes and no camps.

David Emm, senior security researcher at Kaspersky Lab, argues that despite Java topping the lab's list of vulnerable applications in 2012, this wasn't because there is anything intrinsically wrong with it.

"Cyber criminals target applications that are likely to reap rewards for them in this case installing their code on a vulnerable system," Emm insists. "This means targeting an application that is widely-used and often goes unpatched. Java is often installed by default, even where people don't necessarily need it. As a result, if it goes unpatched it becomes a potential threat."

Another security vendor disagrees, however. Catalin Cosoi, chief security strategist at Bitdefender, argues that "much like actual hardware, a Java virtual machine is built to run arbitrary code, and modified to not-run some code."

Cosoi continued: "This is based on a constantly changing (and by definition) incomplete list of criteria, which may or may not be properly translated into software functionality. If this sounds bad for security, it's because it is."

Cosoi told me that relying on the Java virtual machine for system security is not such a great idea and that the virtual machine should be trusted to run code in its own context. "The limits of that context and the trustworthiness of the code which the Java VM is allowed to execute should be judged and enforced elsewhere" Cosoi concluded, perhaps not surprisingly adding "namely at OS level, with the aid of specialised security software."

But Trustwave's Mador is almost evangelical when he insists that "Java has a good security-oriented design and gets better with each version." Mador does agree, however, that security solutions claiming to handle Java vulnerabilities should be in place for those organisations that cannot disable the plugin because they use Java in their environments is the way forward. This brings us nicely to the 'disable or not' debate that has been rather furiously raging within the IT security sector of late.

Some, such as Jovi Bepinosa Umawing, communications and research analyst at GFI Software, told me that "for the time being, it is best that users disable Java" based upon researchers already successfully exploiting the vulnerability in a sandboxed environment, and new exploit kits have already appeared on the dark market. This suggests that the Oracle patch doesn't completely address the vulnerability issue.

His colleague, Dodi Glenn, isn't quite so convinced and instead advises that any business running Java in their environment should create an action plan in the event of a vulnerability being discovered which "includes ensuring the machines are patched, as soon as an update is available, and there is an ability to disable Java from all machines if need be."

Andrew Storms, director of security operations at nCircle, has a practical solution for the smaller end of the business spectrum which is "if you have to run Java for an application, use a security zone or only use Java plugins on trusted sites."

Storms added: "Both Chrome and Firefox have options that allow users to authorize the use of Java plugins anytime they are requested, so it makes sense to switch to one of these browsers when users want to be selective about the use of Java plugins."

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Most Popular

UK spy agencies supercharge espionage efforts with AWS data deal
cloud computing

UK spy agencies supercharge espionage efforts with AWS data deal

26 Oct 2021
Cryptocurrency: Should you invest?

Cryptocurrency: Should you invest?

27 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021