Java and Security

With respect to Java, I'm pretty much in the same boat as Paul Graham: I've never used it but it does seem to have an unpleasant odor. One thing for sure, it's a major exploit vector and, as a result, I have it disabled on my machines.

On the other hand, lots of people are writing tons of Java code that does useful things so it's obviously a useful platform. One of the nice things about Java is its “write once” technology. An application, once written will run on an any platform. At least that's the theory. Even if the actuality falls a bit short of that ideal, it's still nice to be able to write applications that will—more or less—run on any supported platform.

Now, though, there's news that should give everyone pause. eWeek is reporting that Java is the primary cause of 91% of cyber attacks. Think about that: nine in ten attacks target Java1. Of course, one could argue that if Java went away some other platform would take it's place. Perhaps, but that doesn't let Java off the hook.

There's an awful lot of software written in Java and as I said above, it's a useful platform. But there's no excuse for the execrable state of the Java VM. The situation was bad when Sun was in charge and it doesn't seem to have improved under Oracle's aegis. Either Java gets those holes plugged or the platform will die.



These are probably attacks against browser apps written in Java but it's still shocking. I don't know why anyone would have Java enabled in their browser.

This entry was posted in General and tagged . Bookmark the permalink.