5 Replies - 1174 Views - Last Post: 17 September 2013 - 08:22 AM

#1 cfoley  Icon User is offline

  • Cabbage
  • member icon

Reputation: 1949
  • View blog
  • Posts: 4,048
  • Joined: 11-December 07

Java desktop security

Posted 17 September 2013 - 05:51 AM

We all know that Java's browser plugin has security problems. What about the runtime environment for desktop applications? I've tried googling for information. It's easy to find problems about the browser sandbox and it's easy to find articles full of hyperbole but it's difficult to find facts describing a real problems with the desktop runtime environment.

Running code written in any language gives access to more or less the all of the computer anyway. Intrinsically, I don't see a difference between Java and anything else in this regard. Are there other factors that make installing Java on a desktop a security risk?

This is an issue that has come up at work regarding an application I develop and support so I obviously have a vested interest, and I've chosen to post it here rather than the Java forum because I want to hear from non-Java programmers as well as Java programmers.

Is This A Good Question/Topic? 1
  • +

Replies To: Java desktop security

#2 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9057
  • View blog
  • Posts: 34,001
  • Joined: 12-June 08

Re: Java desktop security

Posted 17 September 2013 - 07:00 AM

My take is if you install the JRE for a desktop app it takes some work to close it off from web vulnerabilities and that's a negative. I've also seen work environments where JREs are *NOT* upgraded (intentionally) because some mission critical app works on a version five years out of date but not going forward. Sure the app could be updated, but they were busy running new features and bug fixes to attempt to jump it a few versions.

Ultimately I think that is where the larger security bit crumbs with java - business that cannot keep their app up to date with the latest version updates and it gets left behind, but at the same time leaving gaping holes - knowingly - open.
Was This Post Helpful? 1
  • +
  • -

#3 Ryano121  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1362
  • View blog
  • Posts: 3,002
  • Joined: 30-January 11

Re: Java desktop security

Posted 17 September 2013 - 07:03 AM

I'm also interested in finding this out.

I thought that the security issues where focused solely on the browser plugin (which as nobody ever uses it anymore is no real problem anyways). I however don't see any reason why there would be any security issues with the desktop runtime environment. It makes more sense for the browser plugin but not for desktop runtime.

I have read tons of articles about the problems with the browser plugin, but not one directly referenced the sole use of the desktop environment. I would like to think we would here a lot about it if there was some kind of flaw in it.

It would also be interesting to find out the current situation with the browser plugin as a whole. There has been a load of updates and security fixes lately but I don't know if they have completely fixed it yet.
Was This Post Helpful? 1
  • +
  • -

#4 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9057
  • View blog
  • Posts: 34,001
  • Joined: 12-June 08

Re: Java desktop security

Posted 17 September 2013 - 07:09 AM

Quote

April 23, 2013 12:40 PM ET

IDG News Service - Java vulnerability hunters from Polish security research firm Security Explorations claim to have found a new vulnerability that affects the latest desktop and server versions of the Java Runtime Environment (JRE).

The vulnerability is located in Java's Reflection API component and can be used to completely bypass the Java security sandbox and execute arbitrary code on computers,
[...]
As the name suggests, the Server JRE is a version of the Java Runtime Environment designed for Java server deployments. According to Oracle, the Server JRE doesn't contain the Java browser plug-in, a frequent target for Web-based exploits, the auto-update component or the installer found in the regular JRE package.

[...]Oracle is aware that Java vulnerabilities can also be exploited on server deployments by supplying malicious input to APIs (application programming interfaces) in vulnerable components,


http://www.computerw...researchers_say

That's the point, right? Having tunnel vision on just the web plugin is not enough.
Was This Post Helpful? 1
  • +
  • -

#5 cfoley  Icon User is offline

  • Cabbage
  • member icon

Reputation: 1949
  • View blog
  • Posts: 4,048
  • Joined: 11-December 07

Re: Java desktop security

Posted 17 September 2013 - 08:14 AM

Quote

My take is if you install the JRE for a desktop app it takes some work to close it off from web vulnerabilities and that's a negative.


By closing it off from web vulnerabilities are you talking about not using the browser plugin?

Quote



This is exactly the sort of thing I was asking for but for the server version. Maybe the desktop version if it exposes an API that uses reflection but that would be odd.

Quote

I have read tons of articles about the problems with the browser plugin, but not one directly referenced the sole use of the desktop environment. I would like to think we would here a lot about it if there was some kind of flaw in it.


Yes, this is exactly why I was asking the question. I don't believe any complex software exists that has no security holes but some software is worse than others.
Was This Post Helpful? 0
  • +
  • -

#6 modi123_1  Icon User is offline

  • Suitor #2
  • member icon



Reputation: 9057
  • View blog
  • Posts: 34,001
  • Joined: 12-June 08

Re: Java desktop security

Posted 17 September 2013 - 08:22 AM

That article pointed to the common, and core, JRE shared by both. Which, if I were to poke at Java, I would start there.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1