Why are there so many issues with Java?


It seems that whenever there is a zero day vulnerability, there is a better than even chance that it will have something to do with Java. What is it about Java that makes it so prone to security threats? Oracle isn't exactly some start-up operating out of a garage, you would think they would have this Java thing figured out by now.

Topic: Security
Answer this Question


5 total
Vote Up (30)

The way Java is constructed includes what they call the "Security Manager", which is intended to restrict applications to running in the Java sandbox. This is a major part of the problem, somewhat ironically, because Security Manager has a number of interconnected subsystems that have repeatedly allowed exploits to bypass it and gain access to the machine running Java. The issue, or at least part of it, is the way that all of the subsystems interact make it much harder to correct than it would be to fix a single flaw, partially because of unintended consequences that can result in changes made to one subsystem to fix one flaw may open up a new potential exploit through a different subsystem. Also Oracle doesn't play well with others, and won't work with people outside of the company to attack flaws, so they do everything in a bit of a vacuum.


I am so sick of Oracle trying to install unwanted junk like tool bars and add-on with every update that I'm done with Java anyway. I really, really don't want an Ask Toolbar, and I don't want to have it installed by default unless I opt-out EVERY SINGLE UPDATE! Grrrrrrrrr! Ars has a harsh article on this very topic today, in fact. 

Vote Up (23)

Here's an article that explains how to disable Java altogether. Probably a good idea for most people.

Java is Insecure and Awful, It’s Time to Disable It, and Here’s How

"As usual, there’s yet another security hole in the Java Runtime Environment, and if you don’t disable your Java plugin, you’re at risk for being infected with malware. Here’s how to do it.

Security holes are nothing new, but in this case, the security hole is really bad, and there’s no telling when Oracle will get around to fixing the problem. Plus, how often do you really need Java while browsing the web? Why keep it around?"

Bill Anderson
Vote Up (22)

Well with most all applications in the world running on JAVA there are inevitably going to be problems that arise. So folks go ahead and disable Java in your browsers and while your at it throw your cell phones, PDA's and all the other " fun things " you have at your disposal away. This includes your XBOX 360 and your playstations that are running all those "cool games that include Java libraries that you know nothing about.  Yes, trash the cable TV box too flawed Java is what brings all those channels to you in HD.


And while your at it get rid of that internet router. It also runs on Java. Oh yea you will also need to close that bank account. Most banking applications run on Java also. You will also need to get rid of that debit and credit card, Java reads it when you swipe. 



Alas, now you can pitch your tent and go to the woods. That is what you will have left. Of course, then you will be vunerable to bear and the like. 


But yea, Oracle knows nothing about JAVA technology, right?


While I think you make a good point about the prevalence of Java, you are comparing apples (small A) and oranges a little. Java running in a browser is not the same thing as Javascript or Java Card. Also, while the Android SDK uses Java, so apps are written in Java, the phone itself is using Dalvik instead of Java Virtual Machine, and is not vulnerable in the same way as a machine with Java SE 7 running in the browser.  I agree with you that Java is widely used, and is widely useful. However, in the context of use in a browser, which I inferred from the original question because of the use of the term "zero day vulnerability" and the well publicized security weaknesses of Java SE 7 the picture is not so rosy, and there is little compelling reason to continue to use it.  
Agili Ron
Vote Up (19)

Hello Friends,

Java is a popular programming language that is used to develop games, applications, and utilities  that are found on the Internet, cell phones, and other digital devices. There are thousands of other programming languages out there, such as C, C++, HTML, ColdFusion, Python, Flash, PHP, Visual Basic, and more, but Java has gained popularity in the last few years because it will work on many different kinds of computers.
The same reason that there are frequent updates for the Flash player. Because these applications are installed on so many computers around the world, and because they are cross-platform, they are extremely vulnerable to security risks. They are frequently targeted by hackers and other cyber criminals, so Sun Microsystems is constantly trying to stay one step ahead of the bad guys.

Thanks and Regards,
Agili Ron


Ask a question

Join Now or Sign In to ask a question.
Netflix has released three internal tools it uses to catch hints on the Web that hackers might target its services.
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach
McAfee, part of Intel Security, has made improvements to its Server Security Suites portfolio with the introduction of performance optimisation and additional management efficiency to increase security for servers in physical, virtualised and Cloud environments.
The cybercriminal gang behind the Kelihos botnet is tricking users into installing malware on their computers by appealing to pro-Russian sentiments stoked by recent international sanctions against the country.
Future versions of the Firefox OS mobile platform will allow users to control application-specific permissions, a feature with both privacy and security benefits that's missing on Android.
A line of routers from a China-based manufacturer has a serious flaw that could allow a hacker to monitor someone's Internet traffic, according to research from Trend Micro.
Smartphones sold in California will soon be required to have a kill switch that lets users remotely lock them and wipe them of data in the event they are lost or stolen.
The U.S. National Security Agency built a "Google-like" search engine to give domestic and international government agencies access to details of billions of calls, texts and instant messages sent by millions of people, according to The Intercept.
Sony's PlayStation and Entertainment networks are back online after they were forced offline by a distributed denial-of-service (DDoS) attack, the company said late Sunday.
Cybercriminals are using a new information-stealing malware program to target companies from the automobile industry in Europe, security researchers warned.
Join us: