Is Java secure for the desktop?

Yes - Java desktop and server applications are basically secure.

When you run a desktop application - Skype, Picassa, whatever - you give that software full access to your computer. You have to trust the software.

In contrast, when you run a Java applet in your web browser, the applet runs in a restricted environment called a sandbox. The sandbox exists so you do not have to trust the Java applet.

Java has had a lot of vulnerabilities; almost all of them are "sandbox escapes". In other words, if you're running an old version of Java, a malicious applet can break out of the sandbox and take control of your computer.

Not many technologies support sandboxes. In fact, there are only three common technologies where people routinely run untrusted software: Java, JavaScript and Flash. All of these have had many sandbox escape vulnerabilities, which demonstrates the difficulty of writing a secure sandbox.

When you run Java on your desktop, or on a server, you trust the Java code you are running, so you are not relying on the sandbox. In that context the main concern is whether untrusted data can interfere with the application. For example, if you're talking to someone on Skype, could they send a malicious message that Skype mishandles and allows them to take control of your computer. (I'm just using Skype as an example here).

There have been very few instances where bugs in the Java runtime would allow a desktop or server application to be hacked. Typically this happens because of bugs in the application code, not Java itself.


But is the JRE secure with out the browser plugin? Are Java desktop, mobile and server applications as vulnerable as the java plugin?

The JRE is not that very safe even if we do not take in consideration the Java plugin. To give you a hint, you will find here a long list of security vulnerabilities, including critical ones, discovered during this year affecting JRE in its different versions.

And sandboxing mechanisms we find in the JVM (and elsewhere) are not that perfect, they are sometimes bypassed:

Although Oracle is aware that Java vulnerabilities can also be exploited on server deployments by supplying malicious input to APIs in vulnerable components, its message has generally been that the majority of Java vulnerabilities only affect the Java browser plug-in or that the exploitation scenarios for Java flaws on servers are improbable, Gowdiak said Tuesday via email.

We tried to make users aware that Oracle’s claims were incorrect with respect to the impact of Java SE vulnerabilities,” Gowdiak said. “We proved that the bugs evaluated by Oracle as affecting only the Java plug-in could affect servers as well.”

Source: Researchers: Serious flaw in Java Runtime Environment for desktops, servers


While the Java RE is not always as safe as advertised, the alternatives are even worse. Other technologies like C++ don't even try to offer sandboxing and allow a program to do whatever it wants. When you run a local program on your machine, you should assume that you allow it to do whatever it wants. It does not matter if it is implemented in C, Python, Java or whatever.

Tags:

Java