Server side vulnerabilities in JavaRecently, Oracle has released several updates to Java related to security vulnerability. In many cases, perception prevails over reality and users begin to think Java is bad. The reaction to this perceived notion is usually extreme - meaning the administration may block java through their firewall or simply uninstall Java completely from the user's machine.
I will try changing this perception so users understand what exactly is at risk when using Java.
What is JavaBefore diving deep into what is bad and harmful, I'd like to talk about the role of Java in the software industry. Java is a programming language allowing developers to write code once and run it on different operating systems. Programs written in Java can be deployed as:
Server and stand-alone applications
It is important to understand that vulnerability in Java does not affect applications that run on the server or as a stand-alone application on a client machine. Synametrics makes many applications that are written in Java which run on a server machine (for example, Syncrify server) or as a stand-alone application on a client machine (for example Syncrify client).
When people talk about Java being insecure, they are talking about browser plug-ins. A browser plugin, by design, is supposed to download a program from a website and run it on your computer within a browser. Several restrictions are imposed upon the program executing within a Java Plugin. For example, the program that runs within this plugin is restricted from accessing a local file on the machine.
By exploiting a security hole in browser plugins, a software program can by-pass restrictions imposed upon them. In other words, an applet will be able access the local disk if even if it is not supposed to do that.
This is the main reason why you see a warning message displayed by your browser complaining about an older version of Java.
Private copy of Java Java Runtime Environment (JRE) can be installed in two ways:
A private copy on the other hand is only used by one application. A good example is Syncrify, which installs a private copy of the JRE and no other program on the machine know about it.
Upgrading to latest JREIt is always best to stay current if you have installed a JRE that is global to the machine, such as downloading a JRE from Oracle's website. This way, if you visit a website containing a malicious Java applet, that software won't be able to get access to your computer.
Upgrading a private copy of the JRE does not affect browsers. Therefore, even if you use an older build or version of JRE on the machine, it does not matter.
ConclusionIn short, keep the following points in mind when using Java