Java: More than the usual cup of coding coffee

Susan Bradley

In this week’s Top Story, “Security alert: Remove Java from your browsers,” Woody Leonhard discusses why andhow you should remove Java from your browsers.

PC users conflate Java with JavaScript, and while both are vulnerable to malware attacks, Java is the more vulnerable of the two. Here’s a quick tutorial on Java.

Java and JavaScript: Shared name, different code

What’s the difference between Java and JavaScript? In a recent webcast (which talks about a JavaScript threat in IE), Microsoft MSRC Program Manager Dustin Childs stated, “Java is to JavaScript as Ham is to Hamster.” More specifically: though both are programming languages, Java is used to create applications; JavaScript is used primarily as a scripting language within programs and webpages. As noted in the Wikipedia JavaScript page, JavaScript adopts “many names and naming conventions from Java, but the two languages are otherwise unrelated and have very different semantics.”

From a malware-prevention perspective, the distinction between the two languages is important. It’s Java that we’re regularly updating on our PCs (if we have it installed). But even with the most up-to-date version of Java, we’re still vulnerable to malware attacks, as reported in an ISC Diary blog post.

JavaScript is still frequently used for creating dynamic, interactive webpages. Java, on the other hand, is used by fewer and fewer applications. I use only two applications that rely on Java: one is a Dell DRAC card, used to remotely access servers; the other is software used to adjust and configure some D-Link webcams. Neither application is critical to my day-to-day computing.

The ultimate cross-platform application language

Many developers love Java because they can code an application once and run it on a wide variety of platforms. You’ll find Java on Windows, OS X, Linux, and Android devices. According to Oracle, it’s also found on many dedicated devices such as cable boxes, DVD players, and routers — even ATMs and parking meters. (It’s not natively supported in iOS.)

“Code once” doesn’t mean never update. As with browsers and other apps, staying as secure as possible means always updating to the latest Java. If you have a bank or other financial institution that demands a version prior to Java 6, you really need to question that firm’s security stance — as well as its concern for your financial assets. Contact the firm and ask someone why they’re not protecting you as well as they should. Even a Java help page recommends:

“If you are being asked to run an application on an older version of Java and this version is installed on your machine, we strongly recommend trying the application with the most current version of Java installed on your system first.”

As detailed by Michael Horowitz on his Java Tester site, a Java component — called Java Virtual Machine or Java Runtime Environment — must be installed on a computer before Java programs will run. An Oracle Java page states:

“The JRE consists of the Java Virtual Machine (JVM), Java platform core classes, and supporting Java platform libraries. The JRE is the runtime portion of Java software, which is all you need to run it in your Web browser”.

Although you’ll typically see Java listed among your installed apps and add-ons, it’s the runtime components you’re disabling — if you follow the instructions in Woody’s Top Story, “Security alert: Remove Java from your browsers.”

Common — and uncommon — apps that use Java

Computers often come with Java components preinstalled. Michael Horowitz notes that trying to keep up with applications that demand Java is difficult. In his April 9, 2012, blog, Ed Bott listed numerous apps that use Java. Michael followed up with the following list:

  • GoToMyPC — works more easily with Java, though it’s not required
  • GoToMeeting [Java not required with newest browsers]
  • GoToWebinar [Java not required with newest browsers]
  • Scottrade
  • The Wall Street Journal website, wsj.com, uses Java for dynamic charts
  • Secunia’s Online Software Inspector
  • ThinkFree Office Online
  • FreeMind — mind-mapping software
  • France’s online voting system
  • LuxSci webmail — Java used only for some advanced features
  • time.gov — the official U.S. time site (Java can be disabled)

Of those applications, I’m most concerned that Secunia’s Online Software Inspector requires Java for its scanning processes. I recommend switching to Secunia Personal Software Inspector (site) to scan your PC for needed updates.

The threat from Java-based attacks

If you must run Java on your computer and in a browser, how vulnerable are you? Merely stumbling across a website that has a Java-based attack script could result in an infection. But how prevalent are these attacks? Therein lies the rub; it’s hard to tell whether a new zero-day exploit will be a passing worry or a major threat. Like Woody, I recommend erring on the side of caution and removing Java. Then see what breaks.

That said, keep in mind that Java on the desktop is not the same as Java JRE in the browser. Using Java to attack a PC via a browser is much easier than using Java on the desktop. (As mentioned above, JavaScript can be a path for malware. NoScript [site] is a popular Firefox extension for quickly enabling and disabling JavaScript.)



Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!

= Paid content

All Windows Secrets articles posted on 2013-01-24:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.