“Write once, run anywhere” has been the slogan for the Java programming language since it’s release as Java 1.0 in 1995. And, to be fair, as of 2012 Java is still one of the most widespread programming languages in use.
The question is, will it stay that way?
Programs written with the Java language can be run pretty much anywhere simply because the environment to run said applications has been adopted by and adapted for the majority of operating systems in existence. Java programs run on top of an application called the Java Virtual Machine (JVM). All modern Internet browsers have extensions or plugins to run Java-based applications. At last count, more than three billion devices worldwide are running Java.
Unfortunately for Java, criticism — mostly based around security concerns — has become more than just a side effect of popularity and longevity. The threat has become so serious that the U.S. Department of Homeland Security has released a public warning to all Internet users: “Unless it is absolutely necessary to run Java in web browsers, disable it.”
Across the globe, leaders are taking notice of the rise in Internet security threats. U.S. President Barack Obama issued an executive order seeking better protection of the country's critical infrastructure from cyber attacks during his State of the Union address earlier this month. Meanwhile in Moscow, Information Technology security vendor Kaspersky Lab, one of the top five antivirus vendors globally, has placed Java in the top two vulnerabilities for the past two years.
In 2012, Java overtook Adobe Reader as the number one vector for malicious computer hacking. Not just overtook, Java blew Adobe out of the water. Adobe Reader’s position dropped from 35 per cent in 2011 to 28 per cent in 2012, while Java’s accountability doubled from 25 per cent to a staggering 50 per cent of attacks.
I suppose it makes sense, in a way. A language that has programs running everywhere is just too broad a target to overlook. And the vulnerabilities are there. Even after Oracle released a security update for Java in response to the last warning from the Department of Homeland Security, the department’s stance remains unchanged. Their last release on the topic makes the point that, patched or not, Java has not demonstrated a level of security on an ongoing basis that leads to trust. In other words, enough is enough. Why take the chance anymore?
If anyone was in doubt on the issue of Java, the breadth of the latest burst of attacks should convince you. Attacks have been reported across all sorts of systems, most recently the headquarters of Facebook, Microsoft and, yes, even Apple.
A point to Apple on this one. After the widespread attack last April that exploited a Java vulnerability to infect more than 500,000 Apple computers with malware, the company at 1 Infinite Loop, Cupertino, Calif., wasn’t taking any more chances. Java has not been included in the built-in software of any Apple computer since the release of Mac OS X Lion in July 2011. Too bad even this effort wasn’t enough to prevent the infection of several computers inside Apple itself in recent weeks. The same software, infecting Macs via a flaw in a Java browser plugin, was used to launch successful attacks against Facebook.
I have fond memories of Java. I still use it in my work on occasion. I sincerely hope the slogan, “write once, run anywhere,” doesn’t take on a more sinister meaning in the coming months.
Now, if you haven’t already, go disable Java in your browser. I’d recommend using the instructions issued by Oracle at www.java.com/en/download/help/disable_browser.xml rather than clicking random links from an Internet search at this point.
Leave that for after you disable the gaping security vulnerability.
Jon Reid is an IT professional working in Corner Brook. His column appears every other Tuesday in The Western Star.