Java’s popularity and portability have brought about detrimental attention from the cracking community (Websense 2) requiring research to plug loopholes. Different versions of Java Runtime Environments (JRE) are under attack. Despite efforts by Sun microsystems, and now, Oracle to patch the holes, vulnerabilities are still present albeit unpublished. The result is that Java based programs are increasingly targeted in systems running Windows operating systems (Oremus) Macintosh Systems with old versions of Java are also prone to attacks.
Websense security Labs found that unpatched Java encourages exploits (3). The study targeted 900 million endpoints in their intelligence cloud. 191.61 million of these users used several versions of JRE 1.7. The remaining 78.71 percent used various updated versions from v 1.0 to v 1.6. (Websense 3). The potential damage is considerable in view of the 50 security holes that were patched in the Java SE software in February 2013 as noted in an article by Krebs on Security.
Livshits looked into possible solutions to security errors in Java application using lightweight static analysis (1). He found that if a static analyzer finds a program safe, then it is safe for all possible inputs (Livshits 1). Methodology used relied on bad session stores, which found 14 errors, and SQL injections, which established eight (Livshits 2). Livshits does additional research by using Eclipse. His method involves turning Eclipse on using lightweight static checking. The result yields 68 errors.
Java’s wide usage in different industries demands that programmers find solutions to security loopholes before deployment. Livshits’ research findings support this view. Research will help find exploits before application release reducing the potential of damage. The use of methods such as the lightweight static checking process developed by Livshits promises to ensure Java’s reputation is maintained.
Oremus, Will. “Why You Should Probably Disable Java on Your Browser Right Know.” Slate. 29 Aug. 2012. Web. 17 Apr. 2014 <http://www.slate.com/blogs/future_tense/ 2012/08/29/Java_zero_day_vulnerability_why_you_should_disable_Java_on_your_ browser_right_now_.html>
Websense. “White Paper: Why Java Exploits Remain a Top Security Risk.” Bitpipe. 31 Mar. 2014. Pdf. 17 Mar. 2014 <http://www.bitpipe.com/detail/RES/1395430798_459.html>
KrebsonSecurity. “Critical Java Update Fixes 59 Security Holes.” KrebsonSecurity. 3 Feb. 2013. Web. 17 Mar. 2014. < http://krebsonsecurity.com/2013/02/critical-Java-update- fixes-50-security-holes/ >
Livshits, Benjamin V. Finding Security Errors in Java Applications Using Lightweight Static Analysis. Maryland: Annual Computer Security Applications Conference. 2004. Electronic.
Livshits, Benjamin V. Turning Eclipse Against Itself: Finding Errors in Eclipse Sources. California: Microsoft Research. 2005. Electronic