What You Should Know About Java’s Security Issues
One of the most widely used pieces of software in the world has struggled to shake off an array of security issues. If you use it, is it time to change platforms?
Many computer users have a piece of software on their computers so insecure that the U.S. government has recommended it be disabled.
The problem is, there’s a chance it may be essential for your association’s work.
As we reported last year, Java is one of the most insecure pieces of software in common use. Users have been forced to update their software 11 separate times over the past 18 months alone, according to ZDNet.
The current situation: Recently, researchers discovered a so-called zero-day vulnerability with the Java platform, meaning that the security hole was already being used by hackers to access systems remotely on multiple platforms—including Windows, Linux, and Mac OSX. The vulnerability is so severe that the U.S. Department of Homeland Security urged users to disable the software on their computers, and Apple blocked Java on the OSX platform altogether. While the flaw was patched, researchers continued to find flaws in the latest versions of the software.
Update headaches: On top of Java’s security issues, users may find themselves in danger when looking to update. On Windows, at least one piece of malware has been spotted pretending to be the Java update. And even if you get the real one, there are still significant issues—ZDNet’s Ed Bott points out that Oracle’s Java installer on Windows, required for installing the security updates, includes a browser add-on for the search engine Ask.com that’s turned on by default and is difficult to remove once installed.
Security experts frustrated: How bad is the situation with Java? At least one security researcher argues that Java may need a complete rethinking. “Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it, and those concerns leak over onto every Oracle product,” Andrew Storms of nCircle Security told ComputerWorld.
The problem for businesses: While Java is not as widely used by consumers, it is a common platform for web-based and desktop-based business applications, especially those that have to work cross-platform. Naked Security, the blog run by security firm Sophos, notes that the site’s recommendation that Java should be shut off entirely has led to a bit of backlash from readers. While accepting that a transition like this is difficult to handle, the company’s Paul Ducklin suggests that the Java crisis may be an excuse to move corporate software to a new, more secure platform. “We still think it’s an issue you may as well confront now, instead of simply invoking ‘legacy reasons’ as an excuse for ignoring it for too long, as many companies did with IE 6,” he explained recently.
Does your association use Java-based software to run its internal applications? If so, have you considered moving to something else because of security concerns?