What happened to Java security?
January 16, 2013  

The headline’s overblown, but when I see that even the department of homeland security wants you to disable your Java, I have to wonder what went wrong.

From the point of view of the programming language research community, Java was a breakthrough language that introduced memory safety, strong typing, and garbage collection to the world. In my experience, these features make programs several orders of magnitude more secure than programs written in unsafe languages like C and C++.

No implementation is completely secure, of course, but it’s striking that I’ve never seen the US government recommend disabling C.

Without doing a lengthy analysis, I can think of a couple of possible reasons for Java’s problems:

  1. Oracle/Sun have been bad stewards of the language, delaying and botching patches.
  2. Java is more exposed than other languages because they can be embedded in web pages.
  3. Exploits are targeting Java libraries written in other languages.

One thing is clear: this particular bug has nothing to do with (3), libraries written in other languages. However, I think a review of all Java vulnerabilities in the CERT database is likely to show that most are in category (3).

Of course slow patches (1) are common for Java as for a lot of other software systems. Oracle should do better, following the lead of Google and Microsoft.

But I think that (2) is the key problem. The only other language I have seen receive a “disable” warning is Javascript, which is vulnerable in exactly the same way. Drive-by installations and social engineering are the way that malware is getting around these days. Actually, there is a C equivalent: ActiveX. It’s just that the recommendation there is to disable ActiveX and not all C programs.

Update

This Slashdot comment claims that Oracle has botched it, with exploits rising significantly since their purchase of Sun, and this says that most of Sun’s Java division left. So perhaps (1) needs more weight.