Is Java insecure? That depends

Java is often listed as one of the more insecure applications to be installed on a computer. For awhile there in 2013, it seemed as if there was a new Java exploit every week. But is Java really a massive security risk? Yes and no.

In the sense that there are vulnerabilities discovered, problems arise quickly for the average user that ignores the “please update Java” notification. The same goes for Flash, IE, and Acrobat. If there’s a vulnerability, and the average user ignores it (and in my experience they often do), then of course it’s got the potential to be a problem. The same goes for nearly any application that connects to the outside world.

This is why I often recommend that people just not install Java, just use Chrome for Flash and PDF’s on the web (Google reliably updates Chrome automatically) and just avoid IE unless absolutely necessary.

Also, running a computer as a non-admin helps greatly too, as at least in the case of Windows, UAC doesn’t help much.

If a user absolutely needs Java for a given application, then install it, be diligent about patching it, and also if possible disable the browser plugin (which is actually the biggest problem with it).

If a user absolutely needs Java in a browser (I do) then install it, and then disable it for every browser you use, but one. Use that browser just for the known sites that require Java, but otherwise don’t use the browser to surf.

The same goes for being an admin user. I as a Sysadmin unfortunately cannot get away with denying all users admin rights. It’s an embedded culture thing, and it’s not going away. HOWEVER: I have successfully talked folks into having a separate, local admin account that they know the username and password for, that allows them to install their own software as needed.

It gives them the freedom they’re accustomed to, while making the operation of the computer more secure.

So is Java insecure, and “dangerous”? It can be. It’s one more thing to be managed, but in the context of modern software, everything needs to be managed to an extent, because no code is perfect.

In my opinion, users tend to just expect computers to be a simple tool, and on the outside, they are.
But internally they’re probably one of the most complex machines we’ll ever deal with, and thus need to be treated with an air of caution.

Posted in Uncategorized.