The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.
Contents
The JVM
The binary form of programs running on the Java platform is not native machine code but an intermediate bytecode. The JVM performs verification on this bytecode before running it to prevent the program from performing unsafe operations such as branching to incorrect locations, which may contain data rather than instructions. It also allows the JVM to enforce runtime constraints such as array bounds checking. This means that Java programs are significantly less likely to suffer from memory safety flaws such as buffer overflow than programs written in languages such as C which do not provide such memory safety guarantees.
The platform does not allow programs to perform certain potentially unsafe operations such as pointer arithmetic or unchecked type casts. It also does not allow manual control over memory allocation and deallocation; users are required to rely on the automatic garbage collection provided by the platform. This also contributes to type safety and memory safety.
Security manager
The platform provides a security manager which allows users to run untrusted bytecode in a "sandboxed" environment designed to protect them from malicious or poorly written software by preventing the untrusted code from accessing certain platform features and APIs. For example, untrusted code might be prevented from reading or writing files on the local filesystem, running arbitrary commands with the current user's privileges, accessing communication networks, accessing the internal private state of objects using reflection, or causing the JVM to exit.
The security manager also allows Java programs to be cryptographically signed; users can choose to allow code with a valid digital signature from a trusted entity to run with full privileges in circumstances where it would otherwise be untrusted.
Users can also set fine-grained access control policies for programs from different sources. For example, a user may decide that only system classes should be fully trusted, that code from certain trusted entities may be allowed to read certain specific files, and that all other code should be fully sandboxed.
Security APIs
The Java Class Library provides a number of APIs related to security, such as standard cryptographic algorithms, authentication, and secure communication protocols.
Criticism of security manager
The security manager in the Java platform (which, as mentioned above, is designed to allow the user to safely run untrusted bytecode) has been criticized in recent years for making users vulnerable to malware, especially in web browser plugins which execute Java applets downloaded from public websites, more informally known as "Java in the browser".
Oracle's efforts to address these vulnerabilities resulted in a delay to the release of Java 8.
2012
An OS X trojan referred to as Flashback exploited a vulnerability in Java, which had not been patched by Apple, although Oracle had already released a patch. In April, Apple later released a removal tool for Lion users without Java. With Java 7 Update 4, Oracle began to release Java directly for Lion and later.
In October, Apple released an update that removed the Java plugin from all browsers. This was seen as a move by Apple to distance OS X from Java.
2013
In January, a zero-day vulnerability was found in all versions of Java 7, including the latest version Java 7 Update 10, which was already exploited in the wild. The vulnerability was caused by a patch to fix an earlier vulnerability. In response, Apple blacklisted the latest version of the Java plugin. Oracle released a patch (Update 11) within three days. Microsoft also released a patch for Internet Explorer versions 6, 7, and 8.
Cyberespionage malware Red October was found exploiting a Java vulnerability that was patched in October 2011. The website for Reporters Without Borders was also compromised by a Java vulnerability in versions prior to Update 11.
After the release of Update 11, another vulnerability began circulating online, which was later confirmed. It was also found that Java's security mode itself was vulnerable due to a bug. In response, Mozilla disabled Java (as well as Adobe Reader and Microsoft Silverlight) in Firefox by default, while Apple blacklisted the latest Java plugin again.
In February, Twitter reported that it had shut down an attack. Twitter advised users to disable Java, although it did not explain why. Later in the month, Facebook reported that it had been hacked by a zero-day Java attack. Apple also reported an attack. It was found that a breach of an iPhone developer forum was used to attack Twitter, Facebook, and Apple. The forum itself was unaware of the breach. Following Twitter, Facebook, and Apple, Microsoft reported that it was also similarly compromised.
Another vulnerability discovered allowed for the Java security sandbox to be completely bypassed in the original release of Java 7, as well as Updates 11 and 15. In March, trojan called McRat was found exploiting a zero-day Java vulnerability. Oracle then released another patch to address the vulnerability.