Java 7 has recently made the news for security concerns highlighted by the Department of Homeland Security this past Wednesday. Oracle, owners of Java, quickly responded by releasing a Java 7 update yesterday, Sunday, January 13, 2013. Because we use Java in our web application my.OnSIP, we would like to briefly explain what this all means and how it affects you.
What's Java and Which OnSIP Applications Use It?
As you may know, Java is a cross-platform programming language and computing platform that was first released by Sun Microsystems in 1995 and is now provided by Oracle. It's often used in web applications to give the applications more native capability than the browser will allow. A similar and competing alternative is Adobe's Flash.
At OnSIP, our customers will encounter Java in the browser when using our web phone in my.OnSIP; this web phone runs as a Java applet— we refer to it as Osprey's Jitsi applet.
Now, let's be clear, here, even before I jump into the security concerns: There is no security vulnerability or inherent evilness in Java applications such as Osprey's Jitsi applet. In everything I'm about to explain, our applications are not suddenly more insecure. Let's now talk about the issue.
The Security Concerns
Last Thursday, U.S. Computer Emergency Readiness Team (US-CERT) reported that Java 7 contained a security vulnerability that allowed hackers to run malicious Java applets on users' computers without prompting the user. At its core, the security vulnerability exists in the Java Web Start Browser Plugin, which is a plugin that enables Java applications to run inside of web browsers. Typically, browser plugins should only allow a web program access to the browser; however, the Java Web Start Browser Plugin's vulnerability allows applications to access the user's computer, a BIG problem if the application is malicious.
Here's an analogy: You own a home on 1 Computer Lane and you let your babysitter, Mr. Java Browser Plugin, welcome visitors into your yard. On a sunny day, Mr. Java Browser Plugin welcomes the gardener into your yard without telling you — and then, Mr. Java Browser Plugin gives the gardener full access to your home. Unfortunately, the gardener (malicious Java program) turns our to be a thief, rifles through your belongings, and steals your wallet.
Alright, enough with the analogy. Restated by Oracle, "To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages these vulnerabilities," described Oracle's security alert. And that's what's happening; hackers are putting malicious Java applications into advertisements and websites and taking control of people's computers — because the security vulnerability in Java Web Start Browser Plugin gives them access to do so.
A quick aside in case you are wondering: Many articles are referring to it as a "zero-day exploit," which means it's the security hole was discovered the same day that it was exploited, so developers had "zero days" to address it.
How To Protect Your Computer: Oracle's Latest Java Release and Recommendations
According to Ian Paul of PCWorld, The "biggest change for users with [Oracle's Java 7 update 11 (Java 7u11)] is that now all unsigned Java applets and Web start applications are click-to-run. This means you must explicitly authorize Java to run in your browser nearly every time you come across Java on the Web." Oracle did this by setting the Java version's default security settings to "High" so that users will be prompted before running un-signed or self-signed applets.
This is an improvement because, as described before, malicious Java applications (analogy: gardener) were able to enter your computer (analogy: house) without getting your permission. At least now with this update, if you visit a site with malicious Java content, you'll be made aware that there is Java content. Thus, we recommend that Java 7 users update their Java versions as soon as possible. To download this update click here.
However, it's important to note that the security concern is still present and really places the responsibility on you, the user. The best thing you can do is choose only to run Java applets that you expect to run. (Even if you think you're on a trustworthy website, a third-party ad on that website could prompt you to run a malicious Java application.) So, if you visit a website, and you're prompted to download a Java applet when you're not expecting to run a program, say NO — Particularly if it's an un-signed or self-signed application.
Thanks for the contributions to this article from Engineering team members John Riordan, Jason Salsiccia, and Will Mitchell, as well as Samantha Avignone for resource collection. Readers, please feel free to post responses and questions here in the comments.
Related content: How Apple's Security Updates Have Affected Our Web Phone Java Applet