View blogs | Login

Server side vulnerabilities in Java

Oracle regularly releases updates of Java improving its security vulnerability. In many cases, perception prevails over reality and users begin to think Java is bad. The reaction to this perceived notion is usually extreme - meaning the administration may block java through their firewall or simply uninstall Java completely from the user's machine. 

My goal is to try and change this perception so users have a better understanding of what exactly is at risk when using Java.

What is Java?

Before diving deep into what is bad and harmful, UnknownI'd like to talk about the role of Java in the software industry. Java is a programming language allowing developers to write code once and run it on different operating systems. Programs written in Java can be deployed as:
  • Applications running on a server machine as part of an application server
  • Stand-alone applications running on a client machine with a visual interface
  • Browser based applications that run within the context of a web browser

Server and Standalone Applications

It is important to understand that vulnerability in Java does not affect applications that run on the server or as a stand-alone application on a client machine. Synametrics developed several applications that are written in Java that run on a server machine (for example, Syncrify server) or as a stand-alone application on a client machine (for example Syncrify client).

Browser Plugin

When people talk about Java being insecure, they are really talking about is browser plug-ins. A browser plugin, by design, is supposed to download a program from a website and run it on your computer within a browser. Several restrictions are imposed upon the program executing within a Java Plugin. For example, the program that runs w ith in this plugin is restricted from accessing a local file on the machine. By exploiting a security hole in browser plugins, a software program can by-pass restrictions imposed upon them. In other words, an applet will be able access the local disk even if it is not supposed to do that. This is the main reason why you see a warning message displayed by your browser complaining about an older version of Java.

img_58c72d626d954

Private Copy of Java

Java Runtime Environment (JRE) can be installed in two ways: 

1. Global Copy
  • When you install Java downloaded from Oracle's website, it automatically installs globally on the machine. Meaning every application, including web browsers can use this version of Java to run programs.
2. Private Copy
  • A private copy on the other hand is only used by one application. A good example is Syncrify, which installs a private copy of the JRE and no other program on the machine will know about it.

Upgrading to latest JRE

It is always best to stay up-to-date with the latest version of JRE that has been globally installed on the machine. This way, if you visit a website containing a malicious Java applet, that software won't be able to gain access to your computer. Upgrading a private copy of the JRE does not affect browsers. Therefore, even if you use an older version of JRE on the machine, it does not matter.

Conclusion

In short, keep the following points in mind when using Java:
  • Java vulnerabilities only affect browser-plugins. Programs running Java either on the server side, or as a stand-alone program are not affected by these vulnerabilities.
  • If you install Java globally on your machine, it is important to set it to auto-update.
  • Avoid visiting websites that are not trustworthy



Created on: 6/21/13 9:13 AM
Last updated on: 6/1/17 12:07 PM

Navigation

Social Media

Powered by 10MinutesWeb.com