BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Why The Java Bug Is A Big Deal

This article is more than 10 years old.

U.S. Department of Homeland Security Official Seal Websafe Colors (Photo credit: Wikipedia)

In Carl Reiner’s movie “Dead Men Don’t Wear Plaid,” Steve Martin plays detective Rigby Riordan, who investigating the “accidental” death of a scientist.  The film being filled with gags, each time the gumshoe makes his signature cup of java, he’s shot.  With the help of actress Rachel Ward, he survives and finds that the unassuming case he is working on has far greater stakes than he could have imagined.  It seems that a recent stir with a different cup of Java is no gag and is leading to big stakes for the Internet.  We are, of course, referring to the Java programming language.

Just about every electronic device conceivable uses some amount of Java programming.  Computers and cells are the obvious users of Java.  DVD players, lottery ticket machines, medical devices, parking payment stations, and automobile navigation systems are just a few examples of others.  Originally developed by Sun Microsystems, the language is currently developed and maintained by Oracle.

Recently, the U.S. Department of Homeland Security announced that there is a major security flaw in all versions of Java.  If the announcement is correct, hackers might obtain access to any and all data that resides on an individual’s computer, cell phone, or other device.  It is uncertain whether a hacker might be able to activate a computer’s video camera.  According to some reports by technical publishers, the instructions needed to exploit the security flaw are readily available on the Internet.  Until the security flaw is patched, Homeland Security is advising people to disable Java in any computer or device that accesses the Internet.

Computers and cell phones use Java to accomplish certain essential functions when accessing the Internet.  For example, the primary method that investment advisors place trades at one major securities brokerage firm is via a Java application.  If investment advisors follow Homeland Security’s recommendation and disable Java on their computer systems, the likelihood is that trades would be phoned in and the trading desks might be pushed to their limit with trades being placed manually by phone.  At the time of this writing, the security team at the brokerage firm had not released a notice to its employees of the problem.

The reality is that the security flaw in the Java programming language will likely find vulnerabilities in a wide range of industries.  Perhaps a firm’s research and development system is hacked and that company’s trade secrets and intellectual property find their way to a low-cost competitor in another country.  Perhaps a firm's inventory system is hacked and knowledge  of shortages in certain equipment is used to squeeze the company by a supplier.  And then, there are the banks with all of our financial data.  Let your imagination run.

Alternatively, we can all disable Java.  The electronic wheels that drive business (and our lives) will likely not stop completely.  But, they will turn slower.  And, it’s hard to estimate the dollar value of the friction such a disabling will induce.

UPDATE #1

The security issue relates to ALL Java versions from 4 through 7; the security issue is NOT limited to plug-ins and applets alone. This can be verified in the National Vulnerability Database, which can be found at:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422

UPDATE #2

It appears that on Sunday, January 13th, Oracle released Java Version 7 Update 11, which is supposed to fix the security issue.

UPDATE #3

Several commenters have stated that the warning released by the U.S. Department of Homeland Security might be misinterpreted and that -- based on release notes from Oracle -- the security issue is limited to Java 7 alone.  We have contacted the U.S. Department of Homeland Security for a clarifying statement.  We will provide that information upon receipt.

UPDATE #4

As of 1/20, we have not received a response from the U.S. Department of Homeland Security to clarify its assessment of the threat.