Discover MakerZone

MATLAB and Simulink resources for Arduino, LEGO, and Raspberry Pi

Learn more

Discover what MATLAB® can do for your career.

Opportunities for recent engineering grads.

Apply Today

Security implications by Java

Asked by Jan Simon on 13 Jan 2013

E.g. Matlab R2009a is shipped with Java version 1.6.0_04-b12. There have been a lot of very important bugfixes for Java since this version 6.04. I can update the Java version, but this has strange side-effects e.g. for GUI elements. And even the current Java version 7.10 is severely vulnerable.

Which security problems do I have to expect from Java under Matlab?

0 Comments

Jan Simon

Products

No products are associated with this question.

2 Answers

Answer by Jan Simon on 13 Jan 2013
Edited by Jan Simon on 18 Jan 2013

My own ideas:

  1. Matlab is a very powerful language itself. You do not need to call Java to do evil things. Therefore Java does not increase the level of vulnerability. Running foreign P-files from untrusted sources should be avoided at all. Is this a correct argument?
  2. It is a bad idea to use the built-in browser to surf the internet. Even official web sites have been highjacked and injected evil code to client computer through Java leaks. This harmless test page reveals the Java engine used in the browser:
web('http://javatester.org/version.html')

[EDITED, Jan] Sean's answer has disproved point 2: The builtin browser does not run Java applets. And calling Java directly from Matlab remains a security limitation.

5 Comments

Jan Simon on 18 Jan 2013

Thanks, Malcolm, for these very intersting links. Both opinions concern the possibility to update Java. But what would they say about running v6.04?

Malcolm Lidierth on 18 Jan 2013

@Jan

I agree with your comments:

Use the most up-to-date Java 6. There have been many security fixes over the years (including recently, so you can not assume Java 6 is totally safe either). Fixed bugs are in the public domain so might not attract hackers seeking "kudos" but might still attract malicious/criminal hackers. It will be interesting to see if Oracle now decides to continue support for Java 6 beyond February.

Reasons not to update Java: some users require a guarantee that they will get exactly the same results from a specific MATLAB version when running code in 2008 or 2012 for regulatory/legal reasons. Perhaps that is why MATLAB ships a specific release (although not on Mac where the system version is used).

I think Walter has said somewhere that the MATLAB browser is a legacy Firefox browser. So I think you are probably right to recommend using a modern external browser to view web content but the choice of browser matters too - e.g. some disallow certain content when loaded from a local file system.

Java is on 3 billion devices. That is why it gets targeted. Flash is another target. Not so long ago Explorer was the target. Java is a victim of its success. If it were replaced, its successor would become the target.

Jan Simon
Answer by Sean de Wolski on 18 Jan 2013

Here is the solution we published with regard to last week's Homeland Security (US) warning:

Soln:1-L6T44A

1 Comment

Jan Simon on 18 Jan 2013

Thanks, Sean, for pointing to this important statement. It concerns the current warning of the Homeland Security about a problem of Java 7.10, which allows to break out of the Java sandbox in a browser. The linked solutions explains, that Matlab's built-in browser is not affected.

However, my problem does not concern Java 7.10 in a browser, but 6.04 inside Matlab. E.g. the bug CVE-2008-5353 allows to run arbitrary code under elevated privileges. My question is, if e.g. a malicious student can use Matlab and the included old Java to gain admin privileges on a machine of the computer pool of the university.

Sean de Wolski

Contact us