Skip to main content

Cup half full? Oracle VPs defend Java's security legacy

Two prominent Oracle vice presidents have defended Java's poor security record, arguing that the popular programming language is only vulnerable when run within the browser.

"The one key thing here is you have to separate the other Java use cases," said Henrik Stahl, vice president of product management at Oracle. "Java spans everything from smart cars to servers. The only area that has really been impacted by [security] is the browser client on desktops."

In October, Oracle released an enormous patch that fixed 51 separate security loopholes in Java's code.

Stahl's comments were made during an interview with VR-Zone.

The vice president argued that Java was suffering a greater number of security problems simply because it was designed to run untrusted code that could come from anywhere, and is therefore a much bigger target for hackers.

"You have never been exposed," Stahl told Java's rivals. "Or at least not even remotely close to the exposure we've seen from the browser plugin."

Nandini Ramani, Oracle's Vice President of the Java Platform, also took to the stage to announce Oracle's membership in the HSA Foundation, and defend its security record. She pointed to the fact that Sun Microsystems was now under Oracle's wing, and claimed that the database giant is doing its best to clean up the mess left behind.

"The bulk of the issues — I'd say 98 per cent probably or more — are legacy issues from the original Java platform," she said. "We've been setting the foundation up to get to the standards of Oracle."

Java's security issues have been glaring and long-running, and are now the single greatest barriers to Oracle's ambitious expansion plans for the language. The software multinational hopes that Java will be a keystone of the emerging Internet of Things.

However, the company will need to win back the trust of developers first.

In September, Michael Mimoso of Threatpost described Oracle's security legacy as "turning to rubble," describing developers losing faith in the language as "ferocious cybercriminals and nation-state hackers feast on vulnerable code and broken patches."

This was due to Java's policy of "allowing signed applets to bypass their own application sandbox," the secure enclave in which Java apps run. This could give malicious code full access to the machine.

In January of 2013, the Computer Emergency Readiness Team, part of the US Department of Homeland Security (DHS), published a warning that any system using Java 7 were "at high risk" from a zero-day exploit that could grant hackers full access to a compromised computer.

For security systems requiring high security, the DHS advised completely disabling Java.

Java was originally developed by James Gosling at Sun Microsystems, which merged into Oracle Corporation in 2009.

Image: Flickr (@Doug88888)