Home > News > Oracle: Java’s security problems are limited to the browser

Oracle: Java’s security problems are limited to the browser

In the wake of Oracle joining the HSA foundation, company spokespeople say Java’s security problems won’t impact the Internet of Things.


Two prominent Oracle VPs are confident that Java has a clean bill of health, and is ready to be used in heterogeneous computing.

Last week at AMD’s #APU13 conference in San Jose Oracle announced it was joining the Heterogeneous Systems Architecture (HSA) foundation, the AMD, ARM, Imagination Technologies, MediaTek, and Texas Instruments founded group that’s working to create ways to better program heterogeneous parallel devices, in hopes that Java would become a dominant language in heterogeneous programming as it is in the non-heterogeneous coding world.

Before Nandini Ramani, Oracle’s Vice President of the Java Platform, took to the stage to announce Oracle’s membership in the HSA Foundation, ARM’s Chief Technology Officer, Mike Muller, began the morning with a talk of where HSA was going and where it will go in the future.

One of Muller’s takeaway points of the talk was that a world with heterogeneous computing  would need a certain level of trust and security. If HSA technology is scaled up as the Internet of Things (IoT – a terrible buzzword) takes off, the standard used so that these heterogeneous systems can talk to each other must be inherently secure.


One thing that may spook people away from embracing Java in heterogeneous systems and the IoT is its much publicized security problems. After all, it wasn’t too long ago that Java seemed crippled by almost weekly news of a new catastrophic zero-day exploit. In early January, the United States Computer Emergency Readiness Team, warned users to upgrade immediately to the newest release of Java because of a new serious vulnerability found in the wild.

 In September, Threatpost ran a piece titled “Java’s Losing Security Legacy” about the apparent paradox of Java’s sandbox: applications with signed code are allowed to bypass Java’s sandbox, thereby bypassing the security the sandbox offers. If malicious code was somehow signed, it would have unrestricted access to the system.

“The sandbox is a huge problem for Oracle,” Jerry Jongerius, a prominent Java developer, told Threatpost. “Everyone is breaking in. Their solution is to code-sign and get out of the sandbox. But then, you have full permission to the machine. It doesn’t make sense.”

But Oracle VPs are quick to point out that Java in the browser and Java in everything else are entirely separate things when it comes to security issues. Security problems with one should not be conflated with all other instances, they say.

“The one key thing here is you have to separate the other Java use cases. Java spans everything from smart cars to servers. The only area that has really been impacted by [security] isthe browser client on desktops,” said Henrik Stahl, vice president of Product Management at Oracle, in an interview with VR-Zone.  “The main reason for that is very simple: the browser plugin historically was built to execute untrusted code — code that comes from anywhere; you have no idea where the code is coming from.”

Stahl said that one of the reasons for so many reports on Java’s security woes is because its Java on the browser that’s being targeted. This instance of Java is simply much more exposed, and thus targeted by hackers. With other instances, “you have never been exposed, or at least not even remotely close to the exposure you’ve seen from the browser plugin,” he said.

Ramani points out that Java is under new ownership as of 2009, and Oracle has been quite busy cleaning up the mess Sun left in the legacy code.

“The bulk of the issues — I’d say 98 percent probably or more — are legacy issues from the original Java platform,” she said. “We’ve been setting the foundation up to get to the standards of Oracle.”


Leave a Reply

Your email address will not be published.

Read previous post:
Valve jumps into the virtual reality space with its own hardware

Valve is set to reveal its own virtual reality hardware at the turn of the year.