DHS Warning About Java: Update

Several days ago I wrote a blog post about the warning from the U.S. Department of Homeland Security (DHS) about the use of Java.  DHS had gone so far as to advise users to disable Java in their browsers.

A few words of clarification:  as many of you surely know, Java is not JavaScript.  Those are totally different and unrelated languages, in spite of the unfortunately similar wording.

Second, by warning users to turn of Java in their browsers, DHS is essentially telling them to disable Java applets, which are the only form of Java programs that can run in a browser.  Applets are small programs that exist on websites, and that download to your browser, and execute on your own local computer, all within a container that is intended to prevent it from doing anything to your computer without your express permission.  Generally the only thing an applet is allowed to do is present data visually and accept typed or other forms of input from the end-user.  Frankly, that’s not how most Java-based systems work today.  Most Java-based systems consist of Java programs that run elsewhere – within mobile devices, or on servers in all sorts of forms.  Lots of websites use Java on the server side and never send applets to their end-users browsers.  So you may still be visiting a website that runs Java on the server side, and that never sends executable code to your browser, it probably only serves up completed web pages, and that’s fine, you’ll be safe insofar as the DHS warning is concerned.

So now it’s February 3, 2013 (Super Bowl Sunday incidentally), and yet – still no apparent conclusion to the Java situation.

Technology News Logo

The most recent article I can find right now is Taking the Java Bull by the Horns by Patrick Nelson at Technology News, published Jan. 31, 2013, and it says this:

even though Oracle has made some efforts to patch the flaws, DHS hasn’t lifted its warning … As of Jan. 22, 2013, the current version of Java is Version 7, Update 11. The latest version includes fixes for issues raised by DHS as well as other issues. It also sets security settings to “High.” … You may decide that it’s prudent to switch off Java altogether. New Java vulnerabilities are likely to be discovered, according to DHS’s Computer Emergency Readiness Team.

The article also includes step-by-step instructions for performing upgrades and adjusting security settings in your browser.

We’ll keep an eye on this.  I think many of us are so busy working in non-applet areas that we’re not all that concerned.  However, I know firsthand of one company that internally uses an applet-drive software tool for internal corporate communications, and they’ve recently made the call to shut it down until this issue is resolved.  It’s disruptive for sure.

Stay tuned.

Leave a Reply