The dangers of too much Java

Jan 31, 2013
Assistant Professor of Computer Science and Engineering Justin Cappos.

Justin Cappos, an assistant professor of computer science and engineering at the Polytechnic Institute of NYU-Poly, has long been wary of the security risks inherent in Java, the programming language developed by Sun Microsystems in the 1990s. Referring to the libraries of algorithms, data structures, and commands that are part of every computing language, he said, "In Java, the standard libraries are huge; they involve about a million lines of code. A small problem in any one of those lines can leave Java vulnerable to attack."

Lately, those have been receiving increasing attention in the press. On January 13 of this year, for example, Oracle released 7, Update 11, and within a day, as journalists worriedly reported, hackers had begun exploiting glitches within the update. Cappos explained one of the major dangers of such exploits, warning, "A hacker taking advantage of bugs in Oracle's program could conceivably make your computer part of a , a collection of machines whose security has been breached and which are now under the control of that party." Because botnets have been used to send viruses or worms, commit fraud, and collect personal information via spyware, among other , the social and financial ramifications are enormous. As Oracle admits on its Web site, "Successful exploits can impact the availability, integrity, and confidentiality of the user's system."

While the company continually develops "patches" to try to correct the problems, Cappos is not confident that any lasting solutions will be found. "There's no end in sight," he said. "As fast as Oracle can fix one bug, another is discovered." He strongly suggests that users disable Java on their machines. "Other computer-security experts agree, and we're not being alarmists here. Even the is making the same recommendation." He stresses that disabling Java will not affect a computer's performance or utility. "The program once made the browsing experience more powerful and responsive and allowed for wonderful, complex websites," he recalled.

"But Java is now totally unnecessary for most end-users, and developers of Internet Explorer and Chrome have worked to make disabling it a simple process anyone can complete. Firefox and Safari now disable Java by default." Cappos cautions that many people confuse Java and JavaScript, although the two are vastly different products whose similar names are merely the result of a poor marketing decision. "I once heard an apt description that Java is to JavaScript as car is to carpet," he quipped. "JavaScript is unequivocally not part of the Java platform and does not pose similar dangers."

Years ago, Cappos approached the software giant about its security risk of having a large amount of security critical code in Java. He draws on practical experience with a secure execution environment for the Seattle TestBed, a free, community-driven, open-source system that operates on laptops, servers and phones. The global distribution of the Seattle network provides the ability to use it in cloud computing, peer-to-peer networking, ubiquitous/mobile computing, and distributed systems, among other application. It boasts thousands of users around the world, including major universities and research facilities and is open for anyone to participate in.

Because Seattle's sandbox employs only about 8,000 lines of trusted code, it runs in a safe and contained manner, with minimal impact on system security and performance. "We're always working to see how far we can push. We want to make it even smaller," Cappos said. "A million lines is obviously just too much."

Explore further: Google's Waze app endangers police: LAPD chief

add to favorites email to friend print save as pdf

Related Stories

Oracle says Java is fixed; feds maintain warning

Jan 14, 2013

Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal ag ...

Latest Java poison romps on as ok.XXX4.net

Aug 28, 2012

(Phys.org)—Yet another Java-related computer threat, cross-platform, has been nailed by security researchers. An exploit was seen by FireEye researchers on Sunday, being hosted on a domain ok.XXX4.net. ...

Recommended for you

Google's Waze app endangers police: LAPD chief

7 hours ago

Google's newly acquired Waze application poses a danger to police because of its ability to track their locations, the Los Angeles police chief said in a letter to the tech company's CEO.

Catch the northern lights with your mobile

Jan 26, 2015

Updates on the best opportunities to spot the Northern Lights in the UK are now available on a mobile phone app developed in association with scientists at Lancaster University.

App improves the safety of blind pedestrians in cities

Jan 22, 2015

Siemens is developing a system that helps blind and visually impaired people walk safely through cities. In cooperation with the Technical University of Braunschweig and several partners, Siemens is working ...

Nadella: Microsoft aspires to get consumers 'loving Windows'

Jan 22, 2015

Microsoft upped its bid to capture the hearts and minds of technology consumers Wednesday with Windows 10, announcing everything from free upgrades for the majority of Windows users to support for nascent holographic dis ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.