Why is Java so harmful?

[ClarkeFace]

Hopefully someone on here can give me a simplified response as the detailed responses use jargon which completely confused me haha!

I let my younger brother use my mac to play some games occasionally, and there's this game what requires me to download java. (for the game client, not for use on web browsers)

just wondering if anyone can explain why Java seems to be notorious as a security risk for OSX?

Will it be dangerous playing this game? Is there anyway I could disable java from all access APART from this game client?

Thanks guys, any help would be fantastic!

 

[harryb2448]

Skip through this and see if it answers your problem. Very hard to help further without knowing your Mac and operating system details:-


https://www.java.com/en/download/faq/java_mac.xml


And:-


The Safe Mac » Using Java in Mac OS X

 

[chas_m]

The tl;dr version is that it is a buggy and poorly-written program with a cross-platform codebase that requires system access and the highest privileges. This means that if there's a flaw in the program miscreants can exploit, they have full access to the system because Java has the same privileges as an admin user.

 

[vansmith]

The tl;dr version is that it is a buggy and poorly-written program

Evidence?

with a cross-platform codebase

That's largely irrelevant - platform availability doesn't matter.

that requires system access and the highest privileges.

No it doesn't. I take it you've never written a Java app or used Java before?

ClarkeFace, Java is often grouped together with Flash in this regard. In large part, it's because (and this is especially true for Java) it runs everywhere, from high end servers to old feature phones. An exploit in the Java framework is consequently far reaching especially given the central philosophy for Java, namely, that software written on one supported platform should be able to run elsewhere without modification.

To give you a sense of this, take a look at the CVE database, the list of common vulnerabilities and exposures (a measure of how many vulnerabilities are actually present). Java products (runtimes mostly) have a total of 1374 combined in the database. Firefox, as another example, has a total of 1376 across different Firefox versions and products. How often do people complain about Firefox (relatively so)?

Or, think about this: iOS has 1045 CVE ids (1045 vulnerabilities reported) and yet, iOS hardly gets news coverage like Java does (or what it perhaps deserves relatively). In part, this is a reach issue (Java has a much further reach than iOS has by a longshot) and, I'm speculating with no evidence here, the tech media likes to hate Java because it's an easy target.

Are there poorly thought out features for a modern day web? Sure - applets are the worst thing to have running in a browser. Does that make it less secure? No but it does open itself up to more attacks. I won't defend Java as a marvel of security (it's not) but it's not, in and of itself, really any less secure than other software.

 

[chas_m]

I think that counting simply the number of CVEs is a bit deceptive; there's no denying that Java has had numerous instances of CRITICAL security flaws that required "emergency" patches, whereas some other programs might have the same number of discovered flaws but a much lower instance or risk of exploitation. This is not to say that the programs you mention are free of "serious" flaws as well, mind.

 

[McBie]

2 pieces of software you need to stay well away from are Java & Flash.
They are accountable for the vast majority of the exploits of vulnerabilities, both vulnerabilities in their own implementations and as a convenient mechanism to exploit vulnerabilities in an OS / Other application. Convenient because of their huge install base.
That's not me spreading FUD, that is simple historical facts.

Flash should be killed totally and with immediate effect.
And Java as well .... unless you want your car being remotely controlled whilst you are behind the steering weel ( Proof of concept has already been demonstrated )

Cheers ... McBie