The dangers of too much Java

Jan 31, 2013
Assistant Professor of Computer Science and Engineering Justin Cappos.

Justin Cappos, an assistant professor of computer science and engineering at the Polytechnic Institute of NYU-Poly, has long been wary of the security risks inherent in Java, the programming language developed by Sun Microsystems in the 1990s. Referring to the libraries of algorithms, data structures, and commands that are part of every computing language, he said, "In Java, the standard libraries are huge; they involve about a million lines of code. A small problem in any one of those lines can leave Java vulnerable to attack."

Lately, those have been receiving increasing attention in the press. On January 13 of this year, for example, Oracle released 7, Update 11, and within a day, as journalists worriedly reported, hackers had begun exploiting glitches within the update. Cappos explained one of the major dangers of such exploits, warning, "A hacker taking advantage of bugs in Oracle's program could conceivably make your computer part of a , a collection of machines whose security has been breached and which are now under the control of that party." Because botnets have been used to send viruses or worms, commit fraud, and collect personal information via spyware, among other , the social and financial ramifications are enormous. As Oracle admits on its Web site, "Successful exploits can impact the availability, integrity, and confidentiality of the user's system."

While the company continually develops "patches" to try to correct the problems, Cappos is not confident that any lasting solutions will be found. "There's no end in sight," he said. "As fast as Oracle can fix one bug, another is discovered." He strongly suggests that users disable Java on their machines. "Other computer-security experts agree, and we're not being alarmists here. Even the is making the same recommendation." He stresses that disabling Java will not affect a computer's performance or utility. "The program once made the browsing experience more powerful and responsive and allowed for wonderful, complex websites," he recalled.

"But Java is now totally unnecessary for most end-users, and developers of Internet Explorer and Chrome have worked to make disabling it a simple process anyone can complete. Firefox and Safari now disable Java by default." Cappos cautions that many people confuse Java and JavaScript, although the two are vastly different products whose similar names are merely the result of a poor marketing decision. "I once heard an apt description that Java is to JavaScript as car is to carpet," he quipped. "JavaScript is unequivocally not part of the Java platform and does not pose similar dangers."

Years ago, Cappos approached the software giant about its security risk of having a large amount of security critical code in Java. He draws on practical experience with a secure execution environment for the Seattle TestBed, a free, community-driven, open-source system that operates on laptops, servers and phones. The global distribution of the Seattle network provides the ability to use it in cloud computing, peer-to-peer networking, ubiquitous/mobile computing, and distributed systems, among other application. It boasts thousands of users around the world, including major universities and research facilities and is open for anyone to participate in.

Because Seattle's sandbox employs only about 8,000 lines of trusted code, it runs in a safe and contained manner, with minimal impact on system security and performance. "We're always working to see how far we can push. We want to make it even smaller," Cappos said. "A million lines is obviously just too much."

Explore further: Thanksgiving travel woes? There's an app for that

add to favorites email to friend print save as pdf

Related Stories

Oracle says Java is fixed; feds maintain warning

Jan 14, 2013

Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal ag ...

Latest Java poison romps on as ok.XXX4.net

Aug 28, 2012

(Phys.org)—Yet another Java-related computer threat, cross-platform, has been nailed by security researchers. An exploit was seen by FireEye researchers on Sunday, being hosted on a domain ok.XXX4.net. ...

Recommended for you

Audi to develop Tesla Model S all-electric rival

11 hours ago

The Tesla Model S has a rival. Audi is to develop all-electric family car. This is to be a family car that will offer an all-electric range of 280 miles (450 kilometers), according to Auto Express, which ...

A green data center with an autonomous power supply

16 hours ago

A new data center in the United States is generating electricity for its servers entirely from renewable sources, converting biogas from a sewage treatment plant into electricity and water. Siemens implemented ...

After a data breach, it's consumers left holding the bag

17 hours ago

Shoppers have launched into the holiday buying season and retailers are looking forward to year-end sales that make up almost 20% of their annual receipts. But as you check out at a store or click "purchase" on your online shopping cart ...

Can we create an energy efficient Internet?

17 hours ago

With the number of Internet connected devices rapidly increasing, researchers from Melbourne are starting a new research program to reduce energy consumption of such devices.

Brain inspired data engineering

18 hours ago

What if next-generation ICT systems could be based on the brain's structure and its cognitive and adaptive processes? A groundbreaking paradigm of brain-inspired intelligent ICT architectures is being born.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.