At first I thought Homeland Security had declared a War on Java. An article on ZDNet, supposedly a computer-literate news site, declared:
The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.
On CBS News, we find the same claim:
The U.S. Department of Homeland Security is advising people to temporarily disable the Java software on their computers to avoid potential hacking attacks. …
Experts believe hackers have found a flaw in Java’s coding that creates an opening for criminal activity and other high-tech mischief.
This had me seriously scared, not because I believed that there was a problem so severe that it required shutting down all Java software, but because I thought Homeland Security had gone bonkers in a way that directly threatens the value of my professional skills. I’m a Java developer. If DHS is spreading bogus claims about Java, that hits me hard.
It turns out in this case that DHS isn’t, but a bunch of news sources are. Here’s the actual alert. It says: “Any web browser using the Java 7 plug-in is affected. The Java Deployment Toolkit plug-in and Java Web Start can also be used as attack vectors.”
These are serious concerns, and Java is being less and less used in browsers, so I can accept that the vulnerability is real. I’ve disabled Java in Firefox. But the large majority of Java in use today is server-side code in Web applications, and the alert doesn’t say anything to suggest that’s a problem. Following the distortions by CBS and ZNet would mean shutting down a lot of websites — to give an example I’m personally familiar with, Harvard’s entire online library presence.
Let’s get a little technical for a moment. Java code can, in principle, do anything on a computer, including writing, reading, and deleting files. When you run an applet from a website in your browser, you clearly don’t want it able to do that, so Java provides a Security Manager that prevents it from doing harmful things. The bug which the alert talks about is in the Security Manager. When you’re running someone else’s Java on your computer, such as an applet on a website, that’s when you’re at risk. Web applications running Java need to talk to the file system, so they don’t use the Security Manager; they assume their code is trustworthy, and if it isn’t, that’s a people problem that could happen with any programming language.
The stupid news reports will doubtless cause some panics in IT shops; I’ve had to deal with a couple like this in the past. In the end it probably won’t make much difference; the people who are technologically literate will figure out the difference, and the ones who aren’t will get jobs reporting on tech for ZDNet and CBS. But I wish they wouldn’t scare me like that.
Update: I’ve seen a claim that this is a Windows-only problem. It isn’t. The alert says that Linux and Mac OS browsers are vulnerable.