Security and Java!

In a detailed blog, Nandini Ramani, Vice President of Software Development, summarizes Oracle steps to address security issues on the Java platform. Amongst the most recent changes,  she explains that "it is now possible to run signed applets without allowing them to run outside the sandbox, and users can prevent the execution of any applets if they are not signed". She lists the impacts of those changes and mentioned for example that "Oracle urges organizations whose sites currently contain unsigned Java Applets to sign those Applets according to the documented recommendations."  

She also explains that "Oracle has found that the public coverage of the recently published vulnerabilities impacting Java in the browser has caused concern to organizations committed to Java applications running on servers.  As a result, Oracle is taking steps to address the security implications of the wide Java distribution model, by further dissociating client/browser use of Java (e.g., affecting home users) and server use (e.g., affecting enterprise deployments). With Java 7 update 21, Oracle has introduced a new type of Java distribution: “Server JRE.”"

She added that "starting in October 2013, Java security fixes will be released under the Oracle Critical Patch Update schedule along with all other Oracle products.  In other words, Java will now issue four annual security releases."

Check out her original blog 


My opinion about the recently discovered security issues in Java is that when you're installing a Java applet you have to trust the applet creator - and not Java (or Oracle, for that matter). The same way when you run an executable file on your Windows Machine - if that executable is malicious then it's not Windows (or Microsoft's) problem.

The world was a bit too harsh on Java - I'm not a big fan of the language myself but I can't but admit that most of the devices I'm using are powered by Java, in one way or the other.

Posted by Fadi El-Eter on June 01, 2013 at 05:22 AM PDT #

while java itself is a great platform, the usability for end users is not.
"security and java" is one of the best examples of that. currently when running an unsigned applet my browser first asks me if i want to allow or block the content being loaded (i can't even look at the page at this point!). if i click allow i get a gigantic popup with a warning icon that tells me clicking ok could cause serious harm to my computer. further i have to tick a box to declare i'm aware of the risk involved.

besides the fact that the popup is not the prettiest, there's no need to make this a blocking popup at load time in the first place.

currently you get the following:
- type a url, hit enter
- a giant popup tells you you'll ruin your computer if you click ok
- if you decline (like suggested) you have no way of enabling the applet again

imho a first step to improve this would be:
- don't run the applet, don't warn the user
- replace the applet with a "run..." text/icon
- show the nasty dialog only after a user ensured this is what they want.
- then the cancel button in the popup would actually make sense too (you could just press play again).

and i have one big question: why does it make a difference if the applet is signed or not? if i understand correctly sandboxed code can't - or at least shouldn't be able - to access or modify critical resources on a computer anyways. no other technology places this additional burden on developers and i completely fail to understand how it improves security. i would be delighted if someone could enlighten me.

Posted by guest on June 05, 2013 at 01:49 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed

Insider News from the Java Team at Oracle!



« May 2016