Total failure of Java security

Wow, that’s a sentence I believed I would never write in my professional life: deactivate Java in your web browser immediately! In any browser and on any operating system. Instructions are e.g. available here and normally on your browser manufacturer home page. Turning it off does not have an impact on normal Java applications, those programs can operate normally. In case you are using an older Java version as 1.7: you should be fine and safe, at least with this bug (but there are other bugs in Java 1.6 that have been fixed in Java 1.7).

What happened? Java applets, as unimportant they are these days, are potentially harmful programs executed on your machine. You don’t want them to have access to everything. And for years we (including myself) believed that it is not possible to turn the Java applet security manager of or modify it. This security manager is always and automatically in place when launching a Java applet and it can’t be deactivated, replaced or modified by another one. It makes sure that untrusted (a.k.a. dangerous) code from another machine does not have access to the local computer and its resources. At least up to now.

There is no way to put lipstick on the pig; this is a total failure of Java security. Sandboxes (not only the Java sandbox) have always been a problematic area and of course did and do contain security holes (like most of the other applications). But are there any alternatives?

I think it’s time to remove Java support from web browsers. At least by default. It’s only required for Java applets, and honestly, how often do you run into those? Java web applications deliver, as other web applications, normally HTML to the client. They don’t need a Java runtime on the client. Removing Java support in web browsers does not affect those applications. And the client itself can keep on using Java applications, that’s no problem either. So where is the downside?

Yes, I like Java, yes, I develop Java (web) applications and I don’t want people and companies to stop using Java. It’s a great programming language and a great platform. But it’s time to rethink some old habits and get rid of mostly unused and insecure features that where only important in the past.

There are some good (German) technical details and some code available at heiseSecurity, some English details are available here.

Update, 08/30/12: Oracle has released Java 7 Update 7 which fixes this critical vulnerability. You should update your systems immediately!

Update, 09/03/12: Turns out the new release is still vulnerable, see here (in German). In case you do not use any Java applets better turn off the browser plugin permanently.

Published by Dominik

Java architect, developer, author, trainer, speaker, JCrypTool project lead and secure programming enthusiast.