23

The Java plugin for web browsers is known to have many security issues, at least in the past. Google Chrome is not even supporting it any more, describing it as decrepit technology, and Firefox having a little warning message near it.

But is the JRE secure with out the browser plugin? Are Java desktop, mobile and server applications as vulnerable as the Java plugin?

Dan
  • 323
  • 2
  • 7
  • 35
    Secure against what? More secure than what? The issue with Java plugins is that they are designed to be sandboxed in the browser's execution context, here there is a security flaw when the plugins manages to escape the sandbox. As soon as you manually run an application on your platform, whether it is developed in C or Java, it **will** have access to your files: this is not a security flaw, this is the expected behavior. Actually, Java will bring more security through proper memory handling than a C software, so this would make C less secure than Java on desktop platforms... – WhiteWinterWolf Sep 17 '15 at 09:06
  • 2
    Can I suggest you remove the mobile part of your question, as that is quite a broad area. Feel free to ask it as a separate question. – paj28 Sep 17 '15 at 09:54

3 Answers3

50

Yes - Java desktop and server applications are basically secure.

When you run a desktop application - Skype, Picassa, whatever - you give that software full access to your computer. You have to trust the software.

In contrast, when you run a Java applet in your web browser, the applet runs in a restricted environment called a sandbox. The sandbox exists so you do not have to trust the Java applet.

Java has had a lot of vulnerabilities; almost all of them are "sandbox escapes". In other words, if you're running an old version of Java, a malicious applet can break out of the sandbox and take control of your computer.

Not many technologies support sandboxes. In fact, there are only three common technologies where people routinely run untrusted software: Java, JavaScript and Flash. All of these have had many sandbox escape vulnerabilities, which demonstrates the difficulty of writing a secure sandbox.

When you run Java on your desktop, or on a server, you trust the Java code you are running, so you are not relying on the sandbox. In that context the main concern is whether untrusted data can interfere with the application. For example, if you're talking to someone on Skype, could they send a malicious message that Skype mishandles and allows them to take control of your computer. (I'm just using Skype as an example here).

There have been very few instances where bugs in the Java runtime would allow a desktop or server application to be hacked. Typically this happens because of bugs in the application code, not Java itself.

paj28
  • 32,906
  • 8
  • 93
  • 130
  • +1, I agree with the whole idea, but as I commented to the other member, a desktop app is open to a malicious input from a nefarious user/program. –  Sep 17 '15 at 10:16
  • 2
    You didn't even mention ActiveX :D Sadly, most of those sandboxes weren't designed with security in mind - it was still too long ago. More modern sandboxes tend to be a lot more secure and reliable (e.g. Silverlight, not that it's used all that much), but applets of all kind have gone out of favour, really... – Luaan Sep 17 '15 at 11:43
  • 3
    @Begueradj Literally every app that allows user input is open to malicious input from a user – James_pic Sep 17 '15 at 12:33
  • 5
    @Luaan ActiveX was never really designed to be secure -- it was designed to [allow anything](https://msdn.microsoft.com/en-us/library/aa751972%28VS.85%29.aspx#Why_Are_ActiveX_Cont), and then later adapted slightly to allow running reasonably safely inside the web browser as well. Adding security as an afterthought has, to my knowledge, never ended well; security needs to be accounted for in the initial design in order to be successful. – user Sep 17 '15 at 13:22
  • Shouldn't the answer be *no*? Since you argue - correctly - a desktop application can do anything, makes me think that such applications are very insecure. – Willem Van Onsem Sep 17 '15 at 13:23
  • 6
    @CommuSoft but the java platform is no more insecure than a C++ or .net app you install in your machine. The point is, the PLATFORM is secure, as secure as any other. You never get cut in the kitchen because of the cutting board, be it glass, wood or metal. It is always the knife. – Mindwin Remember Monica Sep 17 '15 at 13:44
  • `Not many technologies support sandboxes. Three common technologies where people routinely run untrusted software: Java, JavaScript and Flash` If you mention Java here so what about .net ? – Robert Niestroj Sep 17 '15 at 13:45
  • 3
    @RobertNiestroj - .Net does indeed have a sandbox. However, the Flash-like component (Silverlight) is not widely used, so it didn't make my list. – paj28 Sep 17 '15 at 13:50
  • @RobertNiestroj "Routinely" and "common" is the key here. While .NET applications are perfectly capable of being run as an applet, and Silverlight also runs on a (limited) .NET, it wasn't really widely used. It was better designed for security - better sandboxing, better verifiable code, signing (eliminates the *untrusted* part), but it didn't get a wide adoption, unlike Java or Flash. Now that even Java and Flash are dying on the internet, it's unlikely this will change. – Luaan Sep 17 '15 at 13:50
10

But is the JRE secure with out the browser plugin? Are Java desktop, mobile and server applications as vulnerable as the java plugin?

The JRE is not that very safe even if we do not take in consideration the Java plugin. To give you a hint, you will find here a long list of security vulnerabilities, including critical ones, discovered during this year affecting JRE in its different versions.

And sandboxing mechanisms we find in the JVM (and elsewhere) are not that perfect, they are sometimes bypassed:

Although Oracle is aware that Java vulnerabilities can also be exploited on server deployments by supplying malicious input to APIs in vulnerable components, its message has generally been that the majority of Java vulnerabilities only affect the Java browser plug-in or that the exploitation scenarios for Java flaws on servers are improbable, Gowdiak said Tuesday via email.

We tried to make users aware that Oracle’s claims were incorrect with respect to the impact of Java SE vulnerabilities,” Gowdiak said. “We proved that the bugs evaluated by Oracle as affecting only the Java plug-in could affect servers as well.”

Source: Researchers: Serious flaw in Java Runtime Environment for desktops, servers

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 4
    Any widely used application will have similar numbers of security vulnerabilities - it's only an issue if they're not patched. CVEDetails (the site you posted a link to) will show a similar number of vulnerabilities in Microsoft Windows, Microsoft Office, Mac OS, iOS, Adobe Acrobat, and any number of other widely used applications. – James_pic Sep 17 '15 at 12:40
  • 3
    I logged in just for this, @paj28 if you actually read the CVE's you will see that pretty much everything this year is to do with 'breaking out of the sandbox', (for either browser plugins, or servlets running on a server. ), you actually have to dig a little bit to see in oracles release notes that these are all sandbox escape issues. – Damian Nikodem Sep 17 '15 at 21:09
  • *Any widely used application will have similar numbers of security vulnerabilities - it's only an issue if they're not patched*: So since the last time you updated your software you have been safe and that is why no security updates have released since? @James_pic –  Sep 18 '15 at 04:36
  • For the part where you stated that all softwares are vulnerable (hence contradicting yourself), it is a comment you must write to the OP because it does not contradict my answer @James_pic –  Sep 18 '15 at 04:48
  • @Begueradj Perhaps I'm just a little unclear on your argument. It seems like you're arguing that the JRE is very insecure, but it's not clear to me what the context is. Are you saying it's insecure relative to similar tehnologies? And for what kinds of threats (sandbox escapes? purely remote attacks? evil maids?)? If you could clarify these things, I think it would improve the answer. – James_pic Sep 18 '15 at 09:11
9

While the Java RE is not always as safe as advertised, the alternatives are even worse. Other technologies like C++ don't even try to offer sandboxing and allow a program to do whatever it wants. When you run a local program on your machine, you should assume that you allow it to do whatever it wants. It does not matter if it is implemented in C, Python, Java or whatever.

Philipp
  • 49,017
  • 8
  • 127
  • 158