View blogs | Login

Server side vulnerabilities in Java

 Recently, Oracle has released several updates to Java related to security vulnerability. In many cases, perception prevails over reality and users begin to think Java is bad. The reaction to this perceived notion is usually extreme - meaning the administration may block java through their firewall or simply uninstall Java completely from the user's machine.

I will try changing this perception so users understand what exactly is at risk when using Java.

What is Java

Before diving deep into what is bad and harmful, I'd like to talk about the role of Java in the software industry. Java is a programming language allowing developers to write code once and run it on different operating systems. Programs written in Java can be deployed as:
  • Applications running on a server machine as part of an application server
  • Stand-alone applications running on a client machine with a visual interface
  • Browser based applications that run within the context of a web browser

Server and stand-alone applications

It is important to understand that vulnerability in Java does not affect applications that run on the server or as a stand-alone application on a client machine. Synametrics makes many applications that are written in Java which run on a server machine (for example, Syncrify server) or as a stand-alone application on a client machine (for example Syncrify client).

Browser plugin

When people talk about Java being insecure, they are talking about browser plug-ins. A browser plugin, by design, is supposed to download a program from a website and run it on your computer within a browser. Several restrictions are imposed upon the program executing within a Java Plugin. For example, the program that runs within this plugin is restricted from accessing a local file on the machine.

By exploiting a security hole in browser plugins, a software program can by-pass restrictions imposed upon them. In other words, an applet will be able access the local disk if even if it is not supposed to do that.

This is the main reason why you see a warning message displayed by your browser complaining about an older version of Java.

Private copy of Java

Java Runtime Environment (JRE) can be installed in two ways:
  1. Global copy - available to every program installed on a machine, such as a web browser
  2. Private copy - only available to the software that installed it.
When you install Java downloaded from Oracle's website, it installs globally on the machine. Meaning every application, including web browsers can use this version of Java to run programs.

A private copy on the other hand is only used by one application. A good example is Syncrify, which installs a private copy of the JRE and no other program on the machine know about it.

Upgrading to latest JRE

It is always best to stay current if you have installed a JRE that is global to the machine, such as downloading a JRE from Oracle's website. This way, if you visit a website containing a malicious Java applet, that software won't be able to get access to your computer.

Upgrading a private copy of the JRE does not affect browsers. Therefore, even if you use an older build or version of JRE on the machine, it does not matter.

Conclusion

In short, keep the following points in mind when using Java
  • Java vulnerabilities only affect browser-plugins. Programs running Java either on the server side, or as a stand-alone program are not affected by these vulnerabilities.
  • If you install Java globally on your machine, it is important to set it to auto-update.
  • Avoid visiting websites that are not trustworthy





Created on: 6/21/13 9:13 AM
Last updated on: 6/21/13 4:26 PM

Navigation

Social Media

Powered by 10MinutesWeb.com