Jake Charman

Resident Geek of Nitrous Junkie Racing

The Problem With Java…

Wed 15 Jul 2015

So today yet another insecurity was reported that affects many of Oracle’s products but perhaps most notably Java. Resulting in a 0-day attack. Luckily for us… Oracle released a patch a matter of hours after the bug was found Oracle released a patch however Version 8 Update 51 does seem a little extreme doesn’t it?

Java works by running applications in a VM or sandbox allowing compatibility between any OS that the VM has been written for. The VM can also be installed on devices that require a simple OS such as car radios allowing developers to essentially write an OS in Java. The problem with this is that Java is often used to run code without prompting or even warning the user often allowing untrusted code to be run. Theoretically this should be fine as, again, in theory, the code is running in a VM and completely separate from the OS. In the same way that in theory running a thousand different viruses in a Windows VM is fine.

The trouble is, as with a Windows VM there are sometimes issues either in the way the VM is set up or in the way the VM was written which allows the thousand viruses to leak into the physical PC. In the same way as the untrusted code run in Java is occasionally allowed into the OS.

Personally, I quite like the way Java works however I am still sure to update it as soon as an update is released. I would like to see more testing done by Oracle to ensure that there are no holes in the sandbox. Later versions of Java do warn when untrusted code is about to be run like, for example, in a website that has a Java applet embedded in it to add functionality. Naming no names however, I find that quite commonly web developers neglect to update their apps to work with the latest version meaning that the new security features have to be turned off to allow them to run. I have seen this many times from businesses that are run solely online and are big enough to have the budget for web development.

So, to conclude, I quite like the model on which Java works. It is brilliant for cross-platform apps since your app will essentially work on anything Oracle write the sandbox for. I believe they even provide the binaries that can be compiled for any system. However, it is essential to keep up with essential updates from Oracle to ensure both your apps and PCs are secure.