Oracle, which recently released a new version of its JDK—Oracle Java Development Kit 7 Update 40 (JDK 7u40)—is now under fire for security-related issues with its latest release.
Jerry Jongerius, a computer scientist and founder of Duckware, a provider of Java tools and other software products, claims the latest JDK release intentionally breaks Java applets. Ironically, Oracle maintains that JDK 7u40 includes new diagnostic, monitoring, security and deployment capabilities for Java Platform Standard Edition 7 (Java SE 7).
In a blog post, Jongerius takes Oracle to task, saying Oracle “intentionally and needlessly” breaks local file system Java applets.
“Oracle’s Java Security team is removing ‘file path’ information from a locally run Java applet, busting the applet, citing security concerns,” Jongerius wrote. “But removal of that information was a ‘mistake’ from day one, because ‘file path’ information will always be available—no matter what is done to Java— via the web page the applet is in.”
Oracle did not respond to a request for comment on Jongerius’ complaint before this article was posted.
Jongerius said he believes the core issue at work here is that “Oracle is intentionally killing off the Java security sandbox under the pretense of improving security. Oracle’s alternative to a null getCodeBase()? Code sign your Java applet and get FULL UNRESTRICTED ACCESS to the entire computer.”
Jongerius further spells out his complaint: “Oracle’s security fix for a sandboxed applet that can see some path information—already available via the web page—is to break the applet, and then Oracle recommends that ‘the fix’ for the broken applet is to run the applet outside the sandbox (where the Applet has access to EVERYTHING on the computer) WTF!—Oracle is clearly trying to kill off the security sandbox.”
Although Jongerius goes a long way to criticize Oracle for what he sees as a major issue, at least he offers a few solutions or fixes that could alleviate the problem. Check out his post for more on that. Jongerius, a prolific programmer, has been writing Java code since 1996 and is the author of Writing Bug-Free C Code for Windows.
Suffice it to say that a simple fix would be for Oracle to “undo their changes to getCodeBase() and getDocumentBase(),” Jongerius told Developer.com.
“If Oracle actually wants to hide ‘file path’ information from the programmer, they can do that by adjusting how those functions work,” he said. “Returning ‘null’ is a draconian fix that only harms Java developers and their clients. I have police department clients that have produced huge virtual tours on CD to help first responders in ‘Columbine’ type events. Oracle has screwed them over. First responders running the latest Java are screwed. For reasons discussed in the paper, that change was needless.”
The latest features and enhancements to Oracle JDK 7 include advanced monitoring and diagnostic capabilities that enable developers to gather detailed runtime information and perform efficient data analysis, without impacting system performance; a new security policy that gives system administrators greater control over Java running on desktops; improved performance and efficiencies for Java on ARM servers; and support for Mac OS X Retina displays.
With JDK 7 Update 40, Oracle and the Java community are also delivering “an overall improved user experience for both developers and end users,” said Georges Saab, vice president of Java SE development at Oracle, in a statement.
Oracle will highlight the availability of JDK 7 Update 40 and other Java technology updates at JavaOne San Francisco 2013 running Sept. 22-26.
With the release of JDK 7u40, Oracle is continuing its work to merge the Oracle HotSpot Java Virtual Machine (JVM) and Oracle JRockit into the JDK, which will include the best features from each of these implementations.
JDK 7u40 also includes a new security feature: Deployment Rule Set, which enables a system administrator to control which applets or Java Web Start applications an end user is permitted to execute and which version of the Java Runtime Environment (JRE) is associated with them. Deployment Rule Set provides a common environment to manage employee access in a controlled and secure manner.
