About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

14 January 2013

Oracle JRE Vulnerability and Security Miscommunication

There is a very dangerous bug in Oracle's Java Run Time Environment which enables an attacker to access data outside the JRE's sandbox environmnent. This is something that should be communicated about, and the patch should be applied, ASAP. These facts are undisputable.

However, some tech writers and commentators clearly don't understand the difference between the Java Run Time Environment and Java itself. The most notable article was this one in Forbes, which paints the language as the vulnerability; and not specifically the run time environment. In fact, it makes specific reference to "Java the language", and also pulls in all sorts of systems that have run time environments - although these environments do not necessarily have the vulnerability (since they are likely to be running a different version of the run time environment).In fact there are lots of different types of JREs, and not all of them are made by Oracle (with the notable ones being IBM and the open source OpenJDK project).

To be fair, for most consumers, there is little to distinguish between a JRE and Java the language. I think that there is a red herring in referring to all the possible installations of Java instead of where the problem actually is. There are some great guides on how to see if you are affected and how to fix it; such as this one by Krebs (although he also refers sometimes to the language and not the JRE).