Category Archives: Security

aka infosec

Java: what is it, and why do I need it?

You’re probably sick of hearing about Java and its troubles. Still, there seems to be a lot of confusion about what Java is, what it’s used for, and whether it’s really needed. This post is an attempt to alleviate that confusion.

From the About page on the Java web site:

From laptops to datacenters, game consoles to scientific supercomputers, cell phones to the Internet, Java is everywhere!
– 1.1 billion desktops run Java
– 3 billion mobile phones run Java
– 100% of all Blu-ray players run Java
– Java powers set-top boxes, printers, Web cams, games, car navigation systems, lottery terminals, medical devices, parking payment stations, and more.

What is Java?

Java is essentially a programming language. It’s also a runtime environment: a program that runs natively on your PC or other computing device and allows Java programs to run on that device.

Why is Java everywhere?

Java is embedded into many household and industrial devices. Typically these devices run older versions of Java, and those older versions often have security vulnerabilities. However, the potential for damage through exploiting vulnerabilities on such devices is usually small or non-existent.

Java is currently installed on most consumer and corporate PCs, usually because at least one Java application or Java-enabled web site requires it. Java may also be enabled in the various web browsers used on those PCs.

The main reason for Java’s prevalence is its portability. In computing terms, that means a Java program will run on any Java-enabled device without modification. Developers only need to create one version of a program, instead of a different version for every computing platform they want to support.

Java in the browser; Java outside the browser

To run a Java program outside of a web browser, a Java Runtime Environment (JRE) must be installed on the device. To use a Java-enabled web site or a web-based Java application, you still need a JRE, but you also need a Java plugin for your web browser. Each browser handles plugins differently, but without a Java plugin providing a link between the browser and the JRE, Java code will not run in the browser.

Because a plugin is required to run Java in a web browser, disabling the plugin is a sure-fire way to avoid web-based Java malware.

Java programs that run outside of the web browser

The primary danger posed by Java at this time is visiting malware-infested web sites with a vulnerable version of Java enabled in the web browser. A Java program that runs outside the web browser is safe, even if the shared Java JRE is old or vulnerable, because the only Java code that runs is the code for that program. If you trust the program’s developer, you’re safe. Note that there is one exception: if the program contains a Java-enabled web browser, the risk is the same as in any other Java-enabled web browser.

Examples:

  • Minecraft – a popular game
  • Eclipse – a software development environment
  • FreeMind — mind-mapping software
  • OpenOffice (Base; wizards) – an office application suite

Java programs that run in the web browser

A Java program that runs in the web browser is safe – even using a shared, old, or vulnerable JRE – as long as you only use that program and don’t navigate to any Internet-based web sites. If you must run a browser-based Java program, try to use one particular web browser for that program (and any similar programs). In other words, use a browser that has Java disabled for web browsing, and a different (Java-enabled) browser for running your browser-based Java programs.

Examples:

  • Yahoo SiteBuilder – requires and installs JRE 1.6 in a shared location, and installs JRE 1.6 components in browsers (use with caution)
  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • many other system and network monitoring and analysis packages

Web sites that require Java for proper operation

If you can’t avoid web sites that use Java: again, it’s a good idea to set aside a Java-enabled web browser for accessing those sites (and nothing else!) Use a separate web browser with Java disabled for most of your web surfing.

Examples:

  • Some banking web sites
  • The Wall Street Journal website uses Java for dynamic charts
  • Secunia’s Online Software Inspector

Java applications that install their own JRE

When an application requires a JRE to run, it can use a shared JRE that is typically installed in a standard location where it can be found by any Java application on the PC. It can also install its own JRE in a location where it is only used by that application. This avoids potential compatibility issues, but it can make things more confusing for anyone trying to understand how Java is being used on their PC.

Examples:

  • Vigiliti nLive – network management software
  • ManageEngine OpManager – system management software
  • MindRaider – notebook and outlining application

How is Java related to Javascript?

It isn’t. Java is to Javascript what ham is to hamster. Like Java, Javascript is a programming language, and it’s often used on web sites to provide enhanced functionality. Also like Java, Javascript is often used for malware. Unlike Java, Javascript can only run within a web browser. Both represent significant security threats, and both can be disabled within web browsers, but doing so may cause some web sites to stop working properly.

Why are there so many security problems with Java?

Java’s success – its prevalence on PCs – has made it a useful target for malware developers. The success of Windows made that operating system the primary target of malware developers for years, but Microsoft has improved the security of Windows, and malware writers are looking for other targets.

All programs contain bugs, and if enough time is spent examining a program, eventually someone will find a way to break it in a way that allows security to be bypassed. Java is a program like any other, and the new focus on Java is revealing more and more security issues.

Why do developers still use Java?

Given all the recent problems with Java, one might expect software and web site developers to steer clear of it. Some developers are probably already looking elsewhere, and the longer it takes for Oracle/Sun to fix Java’s security problems, the more developers will bail. Most developers are probably concerned, but biding their time; switching away from Java is likely to be a massive undertaking.

Why do I need Java? Can I stop using it?

There’s no way to escape Java completely. You probably have several devices in your home that have Java embedded into them. But apart from the Java embedded in devices, you may not need Java at all.

In the PC world, some applications and web sites need Java to work properly. If you don’t have Java on your PC, you won’t be able to use those applications and web sites. If you’re a system or network administrator, you probably need Java to run system management tools. Your employer may use or require custom Java software in your workplace. You may need Java to use your bank’s web site. And so on.

The only way to know for sure whether you can do without Java on your PC is to disable or uninstall it, then make note of any web site or application that stops working. Of course, this may be more difficult than it sounds, since functionality may only be affected in subtle ways.

More problems with Java

  • Version confusion: traditionally, the JRE installer left old versions intact when installing new versions. This was apparently done to get around version incompatibilities, but in practice it created more problems than it solved. More recent JRE installers seem to be better at cleaning up older versions.
  • Java Development Toolkits (JDKs) add to the confusion, since they typically include their own, separate, embedded JRE.
  • There are apparently no tools for finding and diagnosing Java installations on a PC. JavaRa is useful to a point, but it doesn’t seem to find embedded JREs installed with certain Java applications.
  • When you install Java, it sets itself up to perform auto-updates. This feature can be disabled, but it has to be done every time you install or update Java. Worse, the auto-updater may delay updating your Java for days or even weeks after an update becomes available.
  • Recently, Oracle started including crapware (aka foistware) with Java JREs. Performing a default install of a recent JRE will add a worthless toolbar to your browser and may hijack your browser search settings.
  • Removing Java from Internet Explorer is almost impossible. Web browsers like Firefox and Google Chrome include simple settings for disabling Java, but for some reason this is not the case with IE.

Further reading

If you’re gotten this far and want more, the folks over at Windows Secrets recently posted some more useful information about Java.

Links

No surprise: latest Java still not secure

It looks like Java is currently the target of choice for malware authors, which must be a relief for Microsoft, since Windows was the target of choice for years. That means Java’s developer (Oracle/Sun) is in for a rough ride: the rate at which new Java vulnerabilities are found and exploits developed to use them is going to increase. The only thing that will reverse the trend is a big push by Oracle/Sun to make the core of Java a lot more healthy in terms of security. Until that happens, you’re going to keep hearing the same advice: don’t enable Java in your web browser unless you need it, limit Java use in the browser to sites and applications that require it, and even remove Java completely if you really don’t need it at all.

Relevant links:

Java Update (hopefully) fixes recent 0-day vulnerability

A new update for Java (Version 7, Update 11) was released today. This update is supposed to fix the serious 0-day vulnerability discovered last week. Anyone using Java 7 in a web browser should install this update immediately. Given the recent track record of Oracle/Sun (Java’s developer), it remains to be seen whether this update actually fixes the vulnerability. I will wait for Adam Gowdiak to weigh in before I’m certain one way or the other.

Technical details:

Update 2013Jan17: An interesting post over at NetworkWorld reviews what’s being said about the state of Java’s vulnerability.

Latest Java still vulnerable, new exploits in the wild

A new vulnerability in all the most recent versions of Java is already being exploited in the wild. It’s being called a critical zero-day bug, meaning that the vulnerability can be exploited right now, before the developers have had a chance to fix it, and that it allows for serious security breaches.

The Ars Technica article linked above points out that several hacking toolkits have already been updated to include exploits specific to this vulnerability.

Our advice on using Java remains the same: if you require Java to be enabled in your web browser, use the available security features to prevent Java from running in any context where it’s not actually necessary. If you only require Java to be available outside of a web browser, disable Java in your web browser. If you don’t need Java at all, disable or remove it completely.

For additional details, see the CERT post. Mozilla has a helpful post about protecting users from this vulnerability.

Update 2013Jan12: Adam Gowdiak has weighed in on this issue. According to Mr. Gowdiak, this new vulnerability is the result of a previous vulnerability being improperly fixed by an earlier patch.

And now, an apology: somehow I missed the release of Java Version 7 Update 10, which apparently became available on December 12, 2012. That version addressed a variety of vulnerabilities and other bugs, and enhanced security in general with new features like the ability to prevent any Java application from running in a web browser.