This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

Java in the Browser

A fine language for back-end enterprise software is just dangerous in a browser.

The latest Java vulnerability, and US-CERT's response to it, may mark the endgame for interpreted Java on desktops.

You've almost certainly heard that a new "zero-day" vulnerability was found that affects the then-current version of Java, 1.7 Update 10 (called version 7u10), and earlier versions. As of Wednesday last week, the exploit had been baked into widely available crimeware kits. It was being actively exploited on Windows machines and researchers were predicting that Mac exploitation would not be far behind.

It was the latest in a continuous stream of such incidents dating back 15 years and more. This time the US Computer Emergency Response Team (US-CERT), in its vulnerability note, used very strong language: "Due to the number and severity of this and prior Java vulnerabilities, it is recommended that Java be disabled temporarily in web browsers."

Oracle Corp., the current steward of Java -- which it acquired among the assets of Sun Microsystems in 2010 -- quickly issued a patch. This was welcome, and surprising, because Oracle has not in the past demonstrated much nimbleness when it comes to dealing with security vulnerabilities in user-facing software, including Java.

Even after this fix, US-CERT has continued to reiterate its advice to disable or uninstall Java, adding to its vulnerability note: "This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. We are currently unaware of a practical solution to this problem."

Disabling it
Security blogger Troy Hunt posted details of how to discover what version of Java your machine is running and how to disable it on the various platforms. Hunt was surprised to discover that none of the sites he visits regularly depend on Java in the browser. He gives information on some, mostly European, banking sites that still require Java. But chances are, if you disable it you'll not miss it.

Hunt's advice aligns with what I have read elsewhere of late: If you find you do need Java, first uninstall it everywhere, then download the latest version and install it in one browser only. Use that browser only for the sites that need Java. For even more safety, you can package that browser up inside a virtual machine (VirtualBox is one free solution) and start up that hosted environment only when you need to use Java in the browser.

What about mobile?
Java has never run on iOS devices; Steve Jobs hated it as much as he (famously) hated Flash, calling Java a "big heavyweight ball and chain."

Android's entire development environment is built on Java. But the default Chrome browser, with its default settings, doesn't run Java applets.

I don't know the status of Java in Windows 8 phones' IE browser. But in the 1990s, Java was half of the dynamic duo (along with the Netscape browser) that seemed to offer the best hope of breaking out of a Microsoft monoculture. Microsoft did its best to "embrace, extend, and extinguish" the language, in the words of an internal email revealed during Microsoft's antitrust trial. Perhaps Redmond has mellowed towards Java now that it is no longer a threat. (If you know, please share in the comments.)

Java has always been a target-rich environment for bad guys seeking to break into computers -- it's prominent on this list of exploits I was maintaining in 1997 and 1998 to document the first attacks on Windows PCs. This latest exploit, and the widespread publicity resulting from US-CERT's warning, may finally lay Java in the browser to rest.