The dangers of too much Java

Jan 31, 2013
Assistant Professor of Computer Science and Engineering Justin Cappos.

Justin Cappos, an assistant professor of computer science and engineering at the Polytechnic Institute of NYU-Poly, has long been wary of the security risks inherent in Java, the programming language developed by Sun Microsystems in the 1990s. Referring to the libraries of algorithms, data structures, and commands that are part of every computing language, he said, "In Java, the standard libraries are huge; they involve about a million lines of code. A small problem in any one of those lines can leave Java vulnerable to attack."

Lately, those have been receiving increasing attention in the press. On January 13 of this year, for example, Oracle released 7, Update 11, and within a day, as journalists worriedly reported, hackers had begun exploiting glitches within the update. Cappos explained one of the major dangers of such exploits, warning, "A hacker taking advantage of bugs in Oracle's program could conceivably make your computer part of a , a collection of machines whose security has been breached and which are now under the control of that party." Because botnets have been used to send viruses or worms, commit fraud, and collect personal information via spyware, among other , the social and financial ramifications are enormous. As Oracle admits on its Web site, "Successful exploits can impact the availability, integrity, and confidentiality of the user's system."

While the company continually develops "patches" to try to correct the problems, Cappos is not confident that any lasting solutions will be found. "There's no end in sight," he said. "As fast as Oracle can fix one bug, another is discovered." He strongly suggests that users disable Java on their machines. "Other computer-security experts agree, and we're not being alarmists here. Even the is making the same recommendation." He stresses that disabling Java will not affect a computer's performance or utility. "The program once made the browsing experience more powerful and responsive and allowed for wonderful, complex websites," he recalled.

"But Java is now totally unnecessary for most end-users, and developers of Internet Explorer and Chrome have worked to make disabling it a simple process anyone can complete. Firefox and Safari now disable Java by default." Cappos cautions that many people confuse Java and JavaScript, although the two are vastly different products whose similar names are merely the result of a poor marketing decision. "I once heard an apt description that Java is to JavaScript as car is to carpet," he quipped. "JavaScript is unequivocally not part of the Java platform and does not pose similar dangers."

Years ago, Cappos approached the software giant about its security risk of having a large amount of security critical code in Java. He draws on practical experience with a secure execution environment for the Seattle TestBed, a free, community-driven, open-source system that operates on laptops, servers and phones. The global distribution of the Seattle network provides the ability to use it in cloud computing, peer-to-peer networking, ubiquitous/mobile computing, and distributed systems, among other application. It boasts thousands of users around the world, including major universities and research facilities and is open for anyone to participate in.

Because Seattle's sandbox employs only about 8,000 lines of trusted code, it runs in a safe and contained manner, with minimal impact on system security and performance. "We're always working to see how far we can push. We want to make it even smaller," Cappos said. "A million lines is obviously just too much."

Explore further: Fans hop aboard exclusive train to Comic-Con

add to favorites email to friend print save as pdf

Related Stories

Oracle says Java is fixed; feds maintain warning

Jan 14, 2013

Oracle Corp. said Monday it has released a fix for the flaw in its Java software that raised an alarm from the U.S. Department of Homeland Security last week. Even after the patch was issued, the federal ag ...

Latest Java poison romps on as ok.XXX4.net

Aug 28, 2012

(Phys.org)—Yet another Java-related computer threat, cross-platform, has been nailed by security researchers. An exploit was seen by FireEye researchers on Sunday, being hosted on a domain ok.XXX4.net. ...

Recommended for you

Google worker shows early-draft glimpse of Chrome OS

Jul 20, 2014

The Chrome OS is in for a future look. Athena, a Chromium OS project, will bring forth the new Chrome OS user experience. Google's François Beaufort on Friday, referring to the screenshot he posted, said," ...

Google eyes Chrome on Windows laptop battery drain

Jul 19, 2014

Google Chrome on Microsoft Windows has been said to have a problem for some time but this week comes news that Google will give it the attention others think the problem quite deserves. Namely, Google is to ...

User comments : 0