It hasnt been a great week for the makers of Java.
Oracle, the company behind the programming language that powers both Web and desktop applications, has been scrambling to fix major security flaws in its software after the Department of Homeland Security warned of the potential threat Jan. 10. Through its Computer Emergency Readiness Team (CERT), the government issued some straightforward advice: Unless you absolutely need it, disable Java in your Web browser altogether.
Within days of CERTs vulnerability notice, Oracle released patches to address part of the problem.
But that wasnt good enough to satisfy Marc Hoit, vice chancellor for information technology at N.C. State. On Wednesday, his team pushed out an update that shut down Java on every IT-managed system on campus roughly 10,000 machines. Hes also recommending that students, faculty and staff do the same on their own computers.
Notices arent rare
Vulnerability notices even from the Department of Homeland Security arent exactly a rarity in the IT world. But there are a few reasons why even casual users should pay attention to this one.
For starters, Java runs on an enormous number of machines, and CERT says Windows, OS X and Linux can all be affected.
Because Java is so ubiquitous, its a nice target for malicious hackers to try to go and exploit your machine, Hoit said in a phone conversation.
The vulnerability is also far from theoretical. In a Jan. 13 security release, Oracles Eric Maurice explained that all an attacker needs to do is trick users into visiting a malicious Web page. Once your browser runs the Java application on the page, the attacker is free to run his or her code on your now compromised system.
Whats more, both Oracle and CERT have already spotted these techniques in the wild and as part of existing hacking tools.
The real issue
There are a couple of things worth noting here, the first of which is that this problem seems limited to Java running in Web browsers, not standalone applications. You can disable the softwares Web capabilities either in-browser or through the Java control panel. Instructions can be found here: www.java.com/en/download/help/disable_browser.xml.
Although more fixes to the Java platform are forthcoming, Oracles not likely to restore much confidence with IT professionals like Paul Rosenberg, owner of the Chapel Hill repair shop Love Your Computer. For more than a year, he has mostly advised his clients to remove Java. He even gave the same advice to Stump the Geeks readers last April.
He says its frustrating to know users and his customers are forced to pay the price for inadequate security updates.
Its kind of like knowing that in some random circumstance your USB cable to your printer might allow something to come in and trash your OS, Rosenberg said in an email.
Youve got to have that cable for the printer, and you have to have Java for a variety of things (though it is possible to live without it in many cases), so all you can do is hope Oracle diverts more energy from PR to security.
Send technology questions to firstname.lastname@example.org. Please include your name, city and daytime phone number. Sorry, we cant answer every question.