Java, the great enabler of useful applications or a waste of space that is doing more harm than good? After the last few weeks this has become a question worthy of a philosophy lecture.
First in late August came news of two serious zero day Java vulnerabilities (CVE-2012-4681), with plenty of evidence that criminals were exploiting them in a big enough way to pose serious questions over Java's continued use.
Oracle patched the flaw in an out-of-band release but according to Polish security firm Security Explorations, the company had been told about the issue months before and had apparently not acted.
Adding a note of the absurd, not long after the fix had appeared, the Poles said they’d found a vulnerability in the patch of the zero day, a way for code to beat the software's security blanket sandbox.
So, a serious flaw allegedly known about for months, only patched once exploits had started appearing. And then this patch immediately turns out to have a security a sandbox-busting flaw of its own.
Should consumers and businesses keep Java on their desktops? In both cases the answer is a 'yes' but only if it is actually required.
Java myth number 1 – I need Java on my computer just in case
For businesses, working out whether the Java runtime environment (JRE) is needed is fairly straightforward and the answer sis usually ‘yes’. Presumably admins wouldn’t allow Java on desktops if it wasn’t there for a reason and that will often be tied to a specific version. In the case of consumers, many probably won’t need Java but will have it on their computers whether they know it or not. Many retail PCs simply include it by default.
The JRE is still necessary for a clutch of games that work as applets not to mention Google’s heavy and contentious use of the software inside Android but otherwise its popularity is waning. Bear in mind that Java installs on the PC but can be enabled or disabled inside browsers too.
You can test whether Java is enabled and which version is being used by visiting this site.
Microsoft’s adoption of its own non-standard version, JScript, caused serious unhappiness that it was hijacking a good open source idea for its own ends, but that's an aside.
Myth number 3 – old versions are harmless
That’s another thing about Java. Even when security updates are available and users take the time to download them, many forget to de-install old versions.
As Oracle itself said in May, "Keeping old and unsupported versions of Java on your system presents a serious security risk." The company helpfully tells people how to do this and it’s incredibly simple as long as you remember to do it and know that it’s necessary in the first place.
You’d wager most computer users don’t know that this is important and have better things to do with their time in any case.
So why doesn’t Oracle delete old versions when installing newer ones? Because old versions might conceivably be used by some applications and so they can’t. If such apps are encountered on a machine cleansed of old versions, Oracle keeps an archive of should they be required.
A good tip is to make sure that new versions of Java are downloading automatically (they should be by default) and that the system checks for new verisons often enough (the default is once a month, probably not frequent enough). In Windows run the Java app from Control Panel and click in the Update/advanced tab and set to ‘once a week.’
Myth 4 - Java vulnerabilities are a Windows problem
Java flaws can affect all platforms on which the runtime is present, including Apple and Linux. This doesn’t mean that every Java flaw affects these platforms equally. The overwhelming bulk of malware exploiting Java flaws targets Windows users, that is it attempts to open a back door into which will rush a Windows-specific payload.
But the Flashback Trojan from earlier this year proved that Mac users are not immune from nefarious Java if the malware writers become interested enough. That involved a Java flaw (CVE-2012-0507) that had to be patched by Apple itself. In other words, Apple users face two layers of dependency, that of Oracle (which issues the update) and Apple (which actually issues it as part of its security cycle).
Myth five – Oracle will protect me
If it turns out to be true that Oracle has been unresponsive to vulnerability reports for months, that belief goes out of the window. Malware writers have been hunting in the Java space for some years and there is no sign that matters are improving. Watch this space.