What's wrong with Java?

He added: "What recent experiences may do is accelerate the use of more advanced browser-based UI technologies, such as HTML5, but will not affect Java as many companies' server platform of choice for enterprise applications."

Indeed, as most enterprise use requires the Java platform to be deployed but not the plugin it's perfectly feasible to do so safely by disabling the 'Enable Java content in the browser' option by running the installer with a command line option of WEB_JAVA=0.

Bearing in mind all that I've covered so far, the thing that was really nagging at me and that I wanted to get to the bottom of was whether Java is therefore inherently and programmatically insecure.

Bad to the bone?

Putting the question to the security and development community proved to be something of a schizophrenic experience, with opinion being fairly evenly split between the yes and no camps.

David Emm, senior security researcher at Kaspersky Lab, argues that despite Java topping the lab's list of vulnerable applications in 2012, this wasn't because there is anything intrinsically wrong with it.

"Cyber criminals target applications that are likely to reap rewards for them in this case installing their code on a vulnerable system," Emm insists. "This means targeting an application that is widely-used and often goes unpatched. Java is often installed by default, even where people don't necessarily need it. As a result, if it goes unpatched it becomes a potential threat."

Another security vendor disagrees, however. Catalin Cosoi, chief security strategist at Bitdefender, argues that "much like actual hardware, a Java virtual machine is built to run arbitrary code, and modified to not-run some code."

Cosoi continued: "This is based on a constantly changing (and by definition) incomplete list of criteria, which may or may not be properly translated into software functionality. If this sounds bad for security, it's because it is."

Cosoi told me that relying on the Java virtual machine for system security is not such a great idea and that the virtual machine should be trusted to run code in its own context. "The limits of that context and the trustworthiness of the code which the Java VM is allowed to execute should be judged and enforced elsewhere" Cosoi concluded, perhaps not surprisingly adding "namely at OS level, with the aid of specialised security software."

But Trustwave's Mador is almost evangelical when he insists that "Java has a good security-oriented design and gets better with each version." Mador does agree, however, that security solutions claiming to handle Java vulnerabilities should be in place for those organisations that cannot disable the plugin because they use Java in their environments is the way forward. This brings us nicely to the 'disable or not' debate that has been rather furiously raging within the IT security sector of late.

Some, such as Jovi Bepinosa Umawing, communications and research analyst at GFI Software, told me that "for the time being, it is best that users disable Java" based upon researchers already successfully exploiting the vulnerability in a sandboxed environment, and new exploit kits have already appeared on the dark market. This suggests that the Oracle patch doesn't completely address the vulnerability issue.

His colleague, Dodi Glenn, isn't quite so convinced and instead advises that any business running Java in their environment should create an action plan in the event of a vulnerability being discovered which "includes ensuring the machines are patched, as soon as an update is available, and there is an ability to disable Java from all machines if need be."

Andrew Storms, director of security operations at nCircle, has a practical solution for the smaller end of the business spectrum which is "if you have to run Java for an application, use a security zone or only use Java plugins on trusted sites."

Storms added: "Both Chrome and Firefox have options that allow users to authorize the use of Java plugins anytime they are requested, so it makes sense to switch to one of these browsers when users want to be selective about the use of Java plugins."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.