Study: Almost All Java Contain Security Holes

Earlier this year, we warned that Java carries serious security risks. Now, a new report suggests that the problem is even worse than previously believed.

Nearly all software applications written in Java contain code that has at least one security hole, according to a report from the Burlington, Massachusetts-based software security firm Veracode. While not all of these weaknesses are serious, enough potential holes exist to give any Java user pause.

"Nearly all software applications written in Java contain code that has at least one security hole."

One of the most common flaws identified is a deserialization vulnerability found in Apache Common Collections. According to Fortune, this can be found in 25 percent of all Java applications studied. It's a serious flaw that may affect millions of applications. Writing for Information Week, contributor Jai Vijayan notes that the vulnerability could make it easy for someone to gain complete control over an app server.

"They could steal or corrupt any data accessible from that server, steal the application's code, change the application, or even use that server as a launching point for further attacks now that they are inside the data center," Jeff Williams, chief technology officer at Contrast Security, told the news source. 

Enterprises that are using this software may have a difficult time cutting off potential risks. While they can remove the Apache Commons Collection component, there is no guarantee that all of the weaknesses are removed as well. Other libraries could also be exploited. As a rule, Vijayan writes, app vendors should not be unserializing untrusted data.

Java's many security weaknesses make it a poor choice for enterprises. Inventu's Flynet Viewer offers a different approach that uses secure Windows server technology and JavaScript at the client for a more effortless, cross-platform solution.