How big a security risk is Java? Can you really quit using it?

How big a security risk is Java? Can you really quit using it?

Summary: As OS vendors get better about patching their own flaws, malware authors are increasingly turning to third-party code to get their dirty work done, and Java is high on the list. It's easy to say, "Just don't use Java," but what if a program you use requires it? I've got a list of problem apps and solutions.

SHARE:

Update January 10, 2013: A zero-day exploit is in the wild, attacking fully patched versions of Java. You can protect yourself by disabling the Java plugin from your browser(s) or removing Java completely.

The criminals who successfully infected 600,000 Macs with the Flashback malware (aka Flashfake) could just as easily have trained their guns on Windows or Linux users.

That’s the problem with exploits that target vulnerabilities in cross-platform runtimes like Flash Player and the Java Runtime Engine (JRE). Even if your operating system is fully up to date, an unpatched vulnerability in that third-party code can lead to havoc.

As the Mac community discovered, a user can go to a perfectly legitimate site, be infected with absolutely no warning, and have untrusted code running on the box. That infection typically includes a component that can download additional malware later, also without warning.

Indeed, as operating system vendors get better about patching their own flaws, malware authors are increasingly turning to third-party code to get their dirty work done, and Java is high on the list.  In the second quarter of 2011, Kaspersky Labs researchers listed two “Highly Critical” Java vulnerabilities in their top 10 list (six of the remaining eight entries on the list involved Adobe Flash Player). A presentation by Kaspersky’s Kurt Baumgartner at the VB2011 conference called out “the recent explosion in prevalence of both client-side Java exploitation and Android malware development,” and in a separate October 2011 blog post, Baumgartner noted that Java exploits had taken over the #1 spot on the list.

The best defense against this kind of attack is to remove the vulnerable runtime engine so that it can’t be exploited. On a recent-vintage PC or Mac, the odds are in your favor, at least initially.

  • Java is not installed by default with any modern version of Windows, thanks to an April 2004 antitrust settlement between Microsoft and Sun Microsystems. (Sun was later acquired by Oracle, which now owns and maintains Java.)
  • Apple maintains Java separately from Oracle. Apple’s Java was included with Snow Leopard and earlier versions of OS X. If you have one of these OS X versions installed, you must disable it manually, and there is no option to uninstall it. That’s one reason the Flashback attack hit Snow Leopard users especially hard.
  • Apple’s release of Java is not included with a new installation of OS X Lion. If you upgrade from Snow Leopard to Lion, however, the JRE remains on the system and can be targeted by Java-based exploits.

So, if you start with a clean installation of Windows 7 or OS X Lion, you’re immune from Java-based exploits. But all it takes is one application that requires Java, and you see a message like these:

At that point, you have to make the tough choice: install the JRE and make yourself vulnerable, or find an alternative to that app.

Out of curiosity, I did some research to see which apps still require Java. The list is longer than I thought.

Two widely used role-playing games require Java: Minecraftclaims to have 26 million registered users, including 5.5 million who have purchased the game. Runescape, according to Wikipedia, “has approximately 10 million active accounts per month [and] over 156 million registered accounts.”

CrashPlan Pro, an online backup service, uses a Java-based client on OS X and Linux. Java is not required for the Windows client.

Adobe Creative Suite 5.5 is one of several widely used Adobe programs that require Java. This language appears in a support document at Adobe.com:

Many Adobe applications are dependent on the Oracle Java Runtime Environment (JRE) for some features to work. … Adobe and Apple have worked together to ensure that you can install Java [on OS X Lion] at OS install time. Or that it can be installed at a later time before you install Adobe applications. At runtime when you launch an Adobe application, you are prompted to install Java if it is not already installed. If you do not install Java before running an Adobe application, there can be missing or improperly behaving features.

OpenOffice, a free alternative to Microsoft Office, uses Java for many features. The main download page notes that the JRE is included in all versions except those for Linux and OS X, adding this explanation:

Java is required for complete OpenOffice.org functionality. Java is mainly required for the HSQLDB database engine (used by our database product Base) and to make use of accessibility and assistive technologies. Furthermore some wizards rely on Java technology.

On Twitter, I asked my followers for other examples, and found a smattering of less widely used programs that require Java to run:

Some banks require you to use Java if you want to bank online. Northern Bank (based in Northern Ireland) and the Bank of Ireland were both pointed out to me via Twitter.

In the education market, Java is required by the widely used Blackboard Learning System and by GeoGebra.

If you write code using the popular Eclipse Integrated Development Environment, you must have a JRE installed,

But it’s in the enterprise space that Java really has a high profile. I heard from several users of virtual private network (VPN) clients who have no choice but to maintain a local installation of Java if they want to connect to a corporate network. Cisco’s AnyConnect is one; Oracle's Secure Global Desktop client is another.

A reader at a four-year university noted that his institution’s Oracle-based student and financial systems all require Java. And I heard from one person who said his company’s electronic medical records system was built on Java.

In short, Java is easy to avoid, except when you can’t.

My advice? If you can find a way to go completely Java-free, do it. You’ll be free of a significant source of vulnerabilities and you’ll have one less third-party program to worry about updating.

If you must use Java because it’s required by a program or web site for which you have no alternative, consider disabling the Java plugin in your default browser, and use a secondary browser exclusively for any Java-related activity.

Topics: Software Development, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

139 comments
Log in or register to join the discussion
  • You opened a can of worms.

    You have lot of guts. Just saying.
    Ram U
    • Yes, you going against Larry Eillison...

      which is god.
      phatkat
    • It's actually common sense...

      The fewer programs you have, the few vulnerabilities you have (we call that a no brainer)... One of the reasons I run all my systems with only what I absolutly need... .Net is a huge vulnerability, Silverlight is another massive hole waiting to happen, Java, Adobe, etc. Get rid of everything you absolutly do not need and your system will be far less vulnerable.
      i8thecat4
  • Such damn good advice.

    Yet when I suggested something similar the comment got voted to oblivion, this new voting system simply doesn't work.

    Ed is absolutely right, Windows and Mac OS X are both getting far better at security, but plugins aren't. These things are the new "weak link". Though Ed doesn't say so, AV software is very overrated in its role - it wouldn't have helped any Mac users with this problem (none of the solutions was detecting this prior to Apple, finally, releasing a patch).

    It seems the real solution to this is a "plugin free web". I know some will say sandboxing is the solution - but software has broken out of its (impenetrable) sandbox before.

    Seems both Apple and Microsoft are moving in this direction, Apple have iOS, Microsoft have Windows 8 on ARM (or to a lesser extent IE on Metro).
    jeremychappell
    • I just "up voted" your comment, Jeremy. Grin.

      I thought about disabling Java entirely on my system the first time I read about this exploit. However .. as Ed pointed out, Java is currently essential. (I use Adobe Creative software on my Mac system, for example.). There is only one compromise that I could come up with. Before I went online, I could disable Java system wide thru the Java Preferences and then enable it when I wish to use Photoshop, off line, for example. But, as Ed alluded to, this compromise, as with all compromises, are hassles, at best.
      kenosha77a
      • Though Ed was not right about the dangers of Java vulnerabilities

        Ed wrote that user could go on "perfectly legitimate site" and get infected, but the practice of the latest fishing case for Macintoshes proves otherwise.

        [b]None of perfectly legitimate sites[/b] (like ZDNet, Google, iTunes, NYT, YouTube, Adobe, et cetera) [b]would ever hold a danger of such infection[/b]. Only weird, poorly secured or even rightaway malicious sites would hold that trojan.

        So it not easy to get infected even if your Java is not patched yet.
        DDERSSS
      • Surely on Mac OS X

        Just disable Java in Safari to avoid drive by downloads. Continue to use Adobe products as you wish.
        Richard Flude
      • @DeRSSS, how naive are you?

        "None of perfectly legitimate sites (like ZDNet, Google, iTunes, NYT, YouTube, Adobe, et cetera) would ever hold a danger of such infection. Only weird, poorly secured or even rightaway malicious sites would hold that trojan."

        Given that Sony has been hacked. DHSS have been hacked. I seriously cannot believe that you attempt to tell people that ZDNet could not be compromised.

        Besides, you're totally missing the point. I don't HAVE to compromise ZDNet. I could compromise one the advertising affiliates. And push my malware to any site that uses them WITHOUT having to compromise their site.

        It's plain you have no idea about web security. Please think about what you're writing in future. Or at the very least have some awareness of the topic in hand. Putting things in BOLD does not make them any more true when they are patently false.

        Thanks.
        Bozzer
        • Infected via Java ad

          I don't believe any sane web site will serve Java ads to their audience. That would be plain stupid. Sane sites should not serve Flash ads, as well.

          Many users block these via special plugins, anyway.

          Also, you don't blindly let your advertisers push ads on your web site. If you are an reputable site, that is.
          danbi
      • Deleted

        deleted - wrong spot. Sorry.
        NonFanboy
      • And the ads?

        What about all the ads they vend - trust them too?

        You might be relying on rather more people than you initially realise.

        So if you keep to the "well lit" parts of the Internet then, sure, your risk is reduced; but not to zero. What about miskeyed URLs, or Google (Bing, Yahoo - whoever) searches?
        jeremychappell
      • Perfectly legitimate sites

        @DeRSSS,

        As others have noted, any site can be compromised, either directly or through ad networks. And you mention Google as an example of a site that would never ever be unsafe. But that's not what they say:

        http://www.zdnet.com/blog/bott/google-busts-itself-for-distributing-malware/4001

        The current round of infections is apparently being distributed through a network of compromised WordPress sites that are neither weird nor malicious looking. They are poorly secured, but it's impossible for a visitor to know that. And there's the problem.
        Ed Bott
      • Legitimate Sites

        @ DeRSSS

        "None of perfectly legitimate sites (like ZDNet, Google, iTunes, NYT, YouTube, Adobe, et cetera) would ever hold a danger of such infection. Only weird, poorly secured or even rightaway malicious sites would hold that trojan."

        Most legitimate sites are pumped full of third party ads to help pay for the sites. Those third party ads have been, and still are, one of the many "fun" ways that malware ends up on users' systems. A few years ago, one of those vendors ended up on the home page of Yahoo, and a few weeks later ended up on the main page of MSN. The problem is accountability and transparency - the ads are nothing but a placeholder to the owners of the legitimate websites; their servers never download the code but just forward the download address to the clients' systems.

        Not sure if you were aware of this.....
        rock06r
      • On advertising networks

        Seems, the advertising networks are one of the worst things on Internet. I am surprised to hear that sites such as ZDNET need advertising money in order to survive...

        Then, this advertising that requires Flash and Java plugins.. is really weird.

        The Internet will be much better place, if this advertising madness comes to end.
        danbi
      • I could care less about their ads

        [i]What about all the ads they vend - trust them too?[/i]

        So what. Who cares.

        Plug-in free web = Pie-in-the-sky fly.

        Until there's no longer a need for things like Adblock and Flashblock, there will never be a plug-in free web. Not as long as advertisers continue to throw stupid, obnoxious ads into my browser there won't.
        ScorpioBlack
      • Malicious Ads on Legitimate Sites

        @DeRSSS
        I have seen malware laden ads on perfectly legitimate sites more than once. They usually don't stay long, but it's quite possible for a legitimate site to end up linking you to a malware infested ad.
        CFWhitman
      • nevemind

        nevermind
        BCF1968
      • Photoshop and Java

        I am not aware of anything in Photoshop that requires Java. So you may safely disable it at any time. Or at least definitely disable it in the browser. Apple's earlier update for this incident actually modified OS X to disable it automatically if you don't use it for some period of time.

        Actually, Ed's reporting is incorrect here.
        It is not the JRE that is vulnerable as such, it is the web browser plugin. If you disable the Java plugin in your browser, you can visit any web site you wish and not be infected via Java, while at the same you could run software that requires Java on your computer, such as Eclipse all the time. You could even run Eclipse (and Java) while visiting the web sites with Java disabled in the browser.

        Also, any Java applet you execute in the browser must be cryptographically signed. If it is not signed, the Java plugin will issue an warning message and ask for confirmation. You have either to agree to execute the malware, or have the plugin configured not to check and ask.
        Or, of course, the malware might be signed with someone's legitimate certificate -- in which case you can do nothing. But if this is the case, you don't need Java to get infected...
        danbi
    • It is ironic...

      ... how Java was once promoted as the most secure thing on the Web and how it devolved to being as bad as if not worse than ActiveX.
      Earthling2
    • All operating systems can be infected. Only Linux has LSM.

      Folks,
      Linux can get infected just like any other operating system.

      But the big difference is that Linux Security Modules (LSM) was designed to intercept unintended side-effects.

      The role of LSM on Linux when installed and sandboxing a given application is to examine each discrete action taken by that application and, this is important, [b][i]also the actions taken by the 'kernel'[/i][/b].

      The 'policing' done by LSM guarantees that nothing that isn't defined by the application's LSM profile will take place. This puts your application in a 'sandbox'.

      No Zero Day exploit can escalate on a Linux system running LSM on which the targeted application is sandboxed.

      That is real 'peace of mind'.

      Linux with LSM: the safest operating system on the Planet.

      I stake my reputation on it.

      Here's LSM 'AppArmor' running on my system:

      [pre]
      root@AOD260:/etc/apparmor.d# aa-status
      apparmor module is loaded.
      14 profiles are loaded.
      14 profiles are in enforce mode.
      /sbin/dhclient
      /usr/lib/NetworkManager/nm-dhcp-client.action
      /usr/lib/connman/scripts/dhclient-script
      /usr/lib/cups/backend/cups-pdf
      /usr/lib/firefox/firefox{,*[^s][^h]}
      /usr/lib/firefox/firefox{,*[^s][^h]}//browser_java
      /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk
      /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper
      /usr/lib/telepathy/mission-control-5
      /usr/lib/telepathy/telepathy-*
      /usr/sbin/cupsd
      /usr/sbin/mysqld-akonadi
      /usr/sbin/mysqld-akonadi///usr/sbin/mysqld
      /usr/sbin/tcpdump
      0 profiles are in complain mode.
      7 processes have profiles defined.
      7 processes are in enforce mode.
      /sbin/dhclient (4158)
      /usr/lib/firefox/firefox{,*[^s][^h]} (4231)
      /usr/lib/firefox/firefox{,*[^s][^h]} (4266)
      /usr/lib/firefox/firefox{,*[^s][^h]} (4269)
      /usr/lib/firefox/firefox{,*[^s][^h]} (4296)
      /usr/lib/telepathy/mission-control-5 (2062)
      /usr/sbin/cupsd (9187)
      0 processes are in complain mode.
      0 processes are unconfined but have a profile defined.
      root@AOD260:/etc/apparmor.d#

      [/pre]
      Dietrich T. Schmitz *Your