Are unsigned Java applets dangerous

Security

Every few weeks the time has come: a new critical security hole in the Java software. Some of them are to be taken so seriously that even the public service broadcaster reports about them - the last "big case" occurred in January 2014. By then at the latest, the Federal Office for Information Security (BSI) is always quick with a "good" Advice on the spot: All users should either completely uninstall Java from their computers or at least remove / deactivate the plugins that enable browsers such as Internet Explorer or Firefox to run so-called Java applets directly. However, the BSI does give users one restriction: they should deactivate it "... as long as they do not absolutely need it".

This "absolutely necessary" is the problem: Until recently, the majority of German citizens still needed the Java software in order to be able to submit their tax returns with the help of the ElsterOnline portal of the tax authorities. In the meantime, the authorities are finally offering a Java-free ElsterOnline variant. But there are more than enough applications that rely entirely on Java.

In short: we will probably have to live with the Java risk for some time. Reason enough for us to come to terms with the topic.

Java - WTF?

Java is a programming language that James Gosling and several colleagues developed during their time at Sun Microsystems. Sun was taken over by Oracle in 2010, which means that Java and all its forms came into the care of the database company.

Java is an object-oriented programming language, which until 1995 still had the project name Oak. It was developed by Gosling's team with the aim of replacing the apparently overpowering programming language C at the time. On the one hand, this should be achieved by significantly simplifying the language compared to C and C ++. On the other hand, Java not only contains the classic compiler for translating the source code, but can also come up with a runtime environment (JRE - Java Runtime Environment). Virtual machines (JVM) are used here, which enable Java programs to be as independent as possible of the platform on which they were developed: Programmers can create their Java programs once and then run them on any platform, if A corresponding runtime environment with the required libraries is available there. In this way, Java has not only spread to PCs over the years, but is also used on many devices from telephones to Blu-ray players to components in cars.

What is JavaScript all about?

Java and JavaScript are often confused with each other, but have nothing to do with each other: While Java is a "real" programming language, JavaScript is a pure script language (based on text) that is only executed within HTML documents can be. This script language was developed by Netscape under the name LiveScript. What they have in common with Java is the fact that both approaches are based on and use object-oriented techniques. Confusion often arises not only from the fact that the names are identical, but also from the fact that both technologies are often activated by visiting websites and using browsers on the users' PCs. In addition, both approaches are "active techniques" which ultimately allow the execution of program code on one's own PC.

Components of Java

Many users may not be aware that Java is already preinstalled on their computers. At least one version of the runtime environment - the Java Runtime - can be found on most PCs. If you don't know exactly whether Java is installed, you can search for it in the Windows system settings under "Programs and Features" (under Windows 7) or under "Programs" (with Windows 8). In addition to the download, Oracle also provides a corresponding test option on the Java website.

Whether pre-installed or manually downloaded and installed - the result is the same: The Java runtime environment (JRE - Jave Runtime Environment) ends up on the system just like the virtual machine for Java (JVM) and the required Java libraries. The JRE is necessary so that Java software that a web browser finds on a page can be executed on the local system.

Another important part of the package can be found directly in the browser - the so-called Java plug-in. Only with this additional piece of software, which is integrated into the respective browser, can the small Java programs - so-called applets - be executed at all, since it establishes the connection between the browser and the runtime environment. This also shows that such a plug-in could never work "stand-alone" - that is, without the JRE. If you have installed a plug-in in one of your browsers, you must also have the runtime environment installed on the system.

  1. Is Java already installed on my PC?
    The provider Oracle provides the option of having this determined directly via the website.
  2. Sluggish user base
    The users take their time with the update: User share of newer Java versions (patched) compared to older and vulnerable (affected) versions on a weekly basis.
  3. Approval required
    The security mechanisms of the browser (here Google Chrome) take effect: Before Java is released - even for checking purposes - this must be approved by the user.
  4. Caution, comprehensive rights
    Java doesn't just run in the browser: In these cases, an application is used on your own PC, which sometimes works with unrestricted access.
  5. Windows 8 support
    All checks can of course also be carried out under Windows 8: Microsoft offers additional support here with its own information page.
  6. Does it help?
    The installation of the Java software under Windows 8: Oracle of course sees more of the advantages in this software and reveals them during the installation.
  7. More rubbish
    A very bad habit that Java shares with Adobe's Flash: During installation, the software tries to bring additional "crapware" onto the system for the user through already selected menu items or to "bend" settings like you for the search engine.
  8. Java absolutely necessary
    Applications that only run if Java is installed: The freeware JDownloader already indicates in its name that it can only be used if the Java Runtime is available.
  9. Java mandatory II
    The anonymization tool JAP (JonDo) also depends on the Java Runtime being installed on the PC on which it is used. Otherwise it can be installed by the software.
  10. Control panel
    The security settings on a Windows 8 system: Unnoticed by many users, Java also installs an entry in the control panel from which the so-called control panel can be called up.
  11. Simple uninstallation
    The Java Control Panel is of course also available in Windows 7 systems: With its help, the software can also be easily uninstalled.
  12. Set the frequency of the updates
    With the help of the control panel, users can specify both the frequency and the manner in which the relevant Java updates are downloaded and installed.
  13. Deactivate the plug-in
    Deactivating the Java plug-in directly in the operating system: This also works via the control panel in the system control by deselecting the box for the browser. The browser must then be restarted.
  14. The Java vanishes
    This is how Java disappears from the system: Like any other software under Windows, the software can be uninstalled again directly under the entry Programs (or "Programs and Features" under Windows 7).
  15. Plug-in management
    The plug-in settings in the Firefox browser: Here, users can specify whether their browser should run Java applets - and they can also remove this plug-in at this point.
  16. Is everything still fit?
    Should be done regularly: Mozilla's Firefox allows the plug-ins to be checked to see whether they are still up to date.
  17. Master of the exploits:
    Java "leading" again in 2013, as this overview of the indicators of compromise found by SourceFire shows. (Source: SourceFire / FireAMP solution, Cisco)

Why Java is dangerous

Basically every major software project has the problem of susceptibility to errors. The situation becomes even more difficult and complex when software has to interact with other software or even the operating system - system administrators and security officers can tell you a thing or two about it. Another big problem with Java: Here programs are executed on the PC. In order to run programs on a computer (regardless of which operating system it is operated with), these programs require resources from the operating system and, in some cases, access to the files stored there. In many cases, these actions are carried out with all the rights of the respective user - if the user works with the access rights of an administrator, dangerous access and changes are possible. Although since Windows Vista it is no longer necessary for a standard user to work with administrator rights as under Windows XP, this is unfortunately still the rule all too often.

Now the Java developers have basically come up with a good concept in which they should execute the Java programs in a virtual machine and block its access to the system properly. Unfortunately, practice shows that this is not the case and that many influences from other programs can also have an effect here, which then turn out to be veritable security gaps (referred to in computer science as "side effects" and often incorrectly translated as "side effect") . Errors in the implementation and in the implementation of new functions and libraries also contribute to the fact that security gaps arise again and again. These must then be removed by the provider - in this case Oracle - using appropriate patches and upgrades.

In principle, the following also applies here: Users should not run software from unknown and / or potentially unsafe sources on their systems. But that is exactly what they often do when they call up a web page that starts a Java applet on the local PC!