Security implications by Java

4 views (last 30 days)
Jan
Jan on 13 Jan 2013
E.g. Matlab R2009a is shipped with Java version 1.6.0_04-b12. There have been a lot of very important bugfixes for Java since this version 6.04. I can update the Java version, but this has strange side-effects e.g. for GUI elements. And even the current Java version 7.10 is severely vulnerable.
Which security problems do I have to expect from Java under Matlab?

Sign in to answer this question.

Answers (2)

Jan
Jan on 13 Jan 2013
Edited: Jan on 18 Jan 2013
My own ideas:
  1. Matlab is a very powerful language itself. You do not need to call Java to do evil things. Therefore Java does not increase the level of vulnerability. Running foreign P-files from untrusted sources should be avoided at all. Is this a correct argument?
  2. It is a bad idea to use the built-in browser to surf the internet. Even official web sites have been highjacked and injected evil code to client computer through Java leaks. This harmless test page reveals the Java engine used in the browser:
web('http://javatester.org/version.html')
[EDITED, Jan] Sean's answer has disproved point 2: The builtin browser does not run Java applets. And calling Java directly from Matlab remains a security limitation.
  5 Comments
Show 3 older comments
Jan
Jan on 18 Jan 2013
Edited: Jan on 18 Jan 2013
Thanks, Malcolm, for these very intersting links. Both opinions concern the possibility to update Java. But what would they say about running v6.04?
Malcolm Lidierth
Malcolm Lidierth on 18 Jan 2013
Edited: Malcolm Lidierth on 18 Jan 2013
@Jan
I agree with your comments:
Use the most up-to-date Java 6. There have been many security fixes over the years (including recently, so you can not assume Java 6 is totally safe either). Fixed bugs are in the public domain so might not attract hackers seeking "kudos" but might still attract malicious/criminal hackers. It will be interesting to see if Oracle now decides to continue support for Java 6 beyond February.
Reasons not to update Java: some users require a guarantee that they will get exactly the same results from a specific MATLAB version when running code in 2008 or 2012 for regulatory/legal reasons. Perhaps that is why MATLAB ships a specific release (although not on Mac where the system version is used).
I think Walter has said somewhere that the MATLAB browser is a legacy Firefox browser. So I think you are probably right to recommend using a modern external browser to view web content but the choice of browser matters too - e.g. some disallow certain content when loaded from a local file system.
Java is on 3 billion devices. That is why it gets targeted. Flash is another target. Not so long ago Explorer was the target. Java is a victim of its success. If it were replaced, its successor would become the target.

Sign in to comment.

Sean de Wolski
Sean de Wolski on 18 Jan 2013
Here is the solution we published with regard to last week's Homeland Security (US) warning:
Soln:1-L6T44A
  1 Comment
Jan
Jan on 18 Jan 2013
Thanks, Sean, for pointing to this important statement. It concerns the current warning of the Homeland Security about a problem of Java 7.10, which allows to break out of the Java sandbox in a browser. The linked solutions explains, that Matlab's built-in browser is not affected.
However, my problem does not concern Java 7.10 in a browser, but 6.04 inside Matlab. E.g. the bug CVE-2008-5353 allows to run arbitrary code under elevated privileges. My question is, if e.g. a malicious student can use Matlab and the included old Java to gain admin privileges on a machine of the computer pool of the university.

Sign in to comment.

Categories

Find more on Startup and Shutdown in Help Center and File Exchange

Tags

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!