Linked by Thom Holwerda on Wed 10th Oct 2012 23:47 UTC, submitted by MOS6510
Java "Java is a programming language that allows developers to write once and deploy everywhere - from high-end gaming desktops to smartphones. Its OS-agnostic and widespread nature is one of its strongest selling points, but one area where it can fall flat is performance. Generally, Java applications are not going to perform as well as native applications written for a specific OS. However, thanks to Project Sumatra that performance gap may soon become less of an issue."
Thread beginning with comment 538228
To read all comments associated with this story, please click here.
Security
by WorknMan on Thu 11th Oct 2012 01:04 UTC
WorknMan
Member since:
2005-11-13

Is it even possible to run Java securely on a desktop these days, especially as a browser plugin? Mind you, I'm not trolling here... I'm genuinely asking, based on all the zero-day Java attacks I've been reading about lately.

Reply Score: 2

RE: Security
by kaiwai on Thu 11th Oct 2012 02:31 in reply to "Security"
kaiwai Member since:
2005-07-06

Is it even possible to run Java securely on a desktop these days, especially as a browser plugin? Mind you, I'm not trolling here... I'm genuinely asking, based on all the zero-day Java attacks I've been reading about lately.


The first thing I did when I had a Mac was to delete the Java plug in (although it was a stub in recent versions which pointed to Mac OS X downloading the latest version I still didn't like it 'there'). I guess you could do the same with Java on Windows (I don't have it installed) by disabling the Java plugin in both Internet Explorer and NPAPI browsers.

Reply Parent Score: 2

RE: Security
by Alfman on Thu 11th Oct 2012 03:50 in reply to "Security"
Alfman Member since:
2011-01-28

WorknMan,

"Is it even possible to run Java securely on a desktop these days, especially as a browser plugin?"

I don't know how well the java browser plugin security is faring these days?

However as a local desktop platform I don't think Java deserves too much criticism since the language has never been less secure than native apps in the first place. Consider that anything which manages to break out of the java sandbox through a java vulnerability is still access-limited by the same user-space restrictions as a non-VM language like C. While a vulnerability is disappointing, the worst case scenario is that the java app gains access to the same userland syscalls that a native C app can access anyways.

Browsers are at risk because they run untrusted arbitrary code from the internet and they rely on the VM to isolate applets from the main browser process.


Edit: This may be a bit tangential, but another security consideration might be to factor in the likelihood of code written in language X or Y to contain vulnerabilities. I'd assume that Java's strict typecasting and bounds checking rules, as well as general lack of pointer arithmetic make it less likely for Java applications to contain severe (non language related) vulnerabilities.

Edited 2012-10-11 04:05 UTC

Reply Parent Score: 4

RE[2]: Security
by kwan_e on Thu 11th Oct 2012 04:01 in reply to "RE: Security"
kwan_e Member since:
2007-02-18

I'm not a security expert:

While a vulnerability is disappointing, the worst case scenario is that the java app gains access to the same userland syscalls that a native C app can access anyways.


Except with Java, isn't the vulnerability potentially cross platform? Whereas with native exploits, you'd have to write one for each different platform.

Reply Parent Score: 2

RE[2]: Security
by tracul on Thu 11th Oct 2012 09:16 in reply to "RE: Security"
tracul Member since:
2011-08-21

However as a local desktop platform I don't think Java deserves too much criticism since the language has never been less secure than native apps in the first place. Consider that anything which manages to break out of the java sandbox through a java vulnerability is still access-limited by the same user-space restrictions as a non-VM language like C. While a vulnerability is disappointing, the worst case scenario is that the java app gains access to the same userland syscalls that a native C app can access anyways.


The difference is that you can write "perfect" java code and still your app will be potentially vulnerable (outside your control), whereas in C[++] it's all about the written code (under your control)

Reply Parent Score: 1

RE: Security
by moondevil on Thu 11th Oct 2012 06:01 in reply to "Security"
moondevil Member since:
2005-07-08

Is it even possible to run Java securely on a desktop these days, especially as a browser plugin? Mind you, I'm not trolling here... I'm genuinely asking, based on all the zero-day Java attacks I've been reading about lately.


As secure as any C or C++ application.

Press always fails to mention that the Java security exploits are not in the language, rather in the native code that compromisses the virtual machine, in case a VM is used at all.

When a VM is used, then the exploit is done via the data the methods implemented in C/C++ expect, or by trying to find out bytecode sequences that the VM's verifier assumes are safe but are not.

Even with VM exploits it depends on which VM you are using, there are many more out there, besides Oracle's.

Reply Parent Score: 2

RE: Security
by lucas_maximus on Thu 11th Oct 2012 07:52 in reply to "Security"
lucas_maximus Member since:
2009-08-18

Just disable the plugin or only let it run on certain domains.

Reply Parent Score: 2