Java Security Issue

The U.S. Department of Homeland Security issued a recommendation that everyone who can, should disable Java (not Javascript, which I wish people would not disable).

It’s an interesting story because it is only the second time the DHS has asked people to remove/disable software. The previous time being a version of Microsoft Internet Explorer (big surprise, right?), until it was fixed. Java has a long storied history which I went over a little in my post Why So Many Programming Languages?. It seems most people who use Java aren’t aware they are using it.

It’s relatively rare to come across a website that requires Java. I’ve run into it the most when a video wanted to play and Chrome asked me if I wanted to give it permission. I don’t know why anyone is using Java for this purpose when there are so many lighter alternatives available. For the time being, if you run across one of these the prudent thing to do would be to deny the website permission because even though you may trust the website you are visiting, you can’t know if they have been compromised.

What I’m interested in with this mess is, what it will do to the Java brand? Until today, many people were unaware they were using Java at all, so now they are being hit with this message of the Department of Homeland Security says your computer may be vulnerable because of a piece of software called Java that you didn’t even know you were running, and we don’t have a fix for it yet.

Despite once being on the brink of extinction when it failed to take hold in the browser, Java is still important. If you have an Android or a Blackberry phone, you use it everyday- all of your apps are built on it. But as far as I can tell from what I am reading, you’re probably pretty safe. I don’t know the technical details on this particular vulnerability, but Android apps run in a very tightly secured environment (each runs as it’s own linux “user” under the Android operating system), so it’s likely they would be stopped before doing anything too destructive.

Update: Oracle has posted what they are calling a “fix” to the Java problem, but security experts are skeptical. ZDNet says it will be about two years before Oracle gets the security issues solved. My prediction is this will be the end of Java in the desktop browser. My new questions is, will we soon be calling the unrelated language, JavaScript, by it’s more technically accurate, but clumsier name “ECMAScript”?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>