Server side vulnerabilities in JavaOracle regularly releases updates of Java improving its security vulnerability. In many cases, perception prevails over reality and users begin to think Java is bad. The reaction to this perceived notion is usually extreme - meaning the administration may block java through their firewall or simply uninstall Java completely from the user's machine.
My goal is to try and change this perception so users have a better understanding of what exactly is at risk when using Java.
What is Java?Before diving deep into what is bad and harmful, I'd like to talk about the role of Java in the software industry. Java is a programming language allowing developers to write code once and run it on different operating systems. Programs written in Java can be deployed as:
Server and Standalone ApplicationsIt is important to understand that vulnerability in Java does not affect applications that run on the server or as a stand-alone application on a client machine. Synametrics developed several applications that are written in Java that run on a server machine (for example, Syncrify server) or as a stand-alone application on a client machine (for example Syncrify client).
Browser PluginWhen people talk about Java being insecure, they are really talking about is browser plug-ins. A browser plugin, by design, is supposed to download a program from a website and run it on your computer within a browser. Several restrictions are imposed upon the program executing within a Java Plugin. For example, the program that runs w ith in this plugin is restricted from accessing a local file on the machine. By exploiting a security hole in browser plugins, a software program can by-pass restrictions imposed upon them. In other words, an applet will be able access the local disk even if it is not supposed to do that. This is the main reason why you see a warning message displayed by your browser complaining about an older version of Java.
Private Copy of JavaJava Runtime Environment (JRE) can be installed in two ways:
1. Global Copy
Upgrading to latest JREIt is always best to stay up-to-date with the latest version of JRE that has been globally installed on the machine. This way, if you visit a website containing a malicious Java applet, that software won't be able to gain access to your computer. Upgrading a private copy of the JRE does not affect browsers. Therefore, even if you use an older version of JRE on the machine, it does not matter.
ConclusionIn short, keep the following points in mind when using Java: