Security implications by Java

Jan
13 Jan 2013
2 Answers
7 Views (30 days)

0 votes

E.g. Matlab R2009a is shipped with Java version 1.6.0_04-b12. There have been a lot of very important bugfixes for Java since this version 6.04. I can update the Java version, but this has strange side-effects e.g. for GUI elements. And even the current Java version 7.10 is severely vulnerable.
Which security problems do I have to expect from Java under Matlab?

Sign in to answer this question.

Answers (2)

Jan
Jan on 13 Jan 2013
Edited: Jan on 18 Jan 2013

0 votes

My own ideas:
  1. Matlab is a very powerful language itself. You do not need to call Java to do evil things. Therefore Java does not increase the level of vulnerability. Running foreign P-files from untrusted sources should be avoided at all. Is this a correct argument?
  2. It is a bad idea to use the built-in browser to surf the internet. Even official web sites have been highjacked and injected evil code to client computer through Java leaks. This harmless test page reveals the Java engine used in the browser:
web('http://javatester.org/version.html')
[EDITED, Jan] Sean's answer has disproved point 2: The builtin browser does not run Java applets. And calling Java directly from Matlab remains a security limitation.

5 Comments
Show 3 older comments Hide 3 older comments

Malcolm Lidierth
Malcolm Lidierth on 13 Jan 2013
Edited: Malcolm Lidierth on 13 Jan 2013
Jan
I agree entirely with [1] above but it does not require p-files: m-files can contain exactly the same malicious code - it's just that you can then read it. Java is targeted because of its ubiquity: it's more profitable for a criminal to target 100 million Java users than 1 million MATLAB users. To keep your PC completely safe - never turn it on.
As far as Java versions go, I have always used the latest within-version update on Windows and Mac without any issues but I do not use MATLAB uicontrols in my code.
Next month will see the final scheduled update to Java 6. Hopefully, MATLAB will eventually catch up. Java 8 is due later this year.
Jan
Jan on 14 Jan 2013
Edited: Jan on 14 Jan 2013
It is not easy to write Matlab code, which allows to gain admin privilegs without beeing very easy to detect in M-code. Some years ago, or when a user does not update frequently, there have been a weakness in sprintf, which allowed the execution of evil code with elevanted privileges. But currently I do not know any harmless looking evil M-functions. But for Java several severe problems are known and can be found in the net. Therefore on some critical systems in our labs, e.g. which contain personal data of patients, installing Java is prohibited (as well as any internet connection, of course), but Matlab is allowed. Will it be hard or impossible to find good reasons for this?
I assume this would be a more serious problem, if somebody offers a service to run foreign Matlab code on a server without checks. Would anybody dare to do this?!
Jan
Jan on 18 Jan 2013
Edited: Jan on 18 Jan 2013
Thanks, Malcolm, for these very intersting links. Both opinions concern the possibility to update Java. But what would they say about running v6.04?
Malcolm Lidierth
Malcolm Lidierth on 18 Jan 2013
Edited: Malcolm Lidierth on 18 Jan 2013
@Jan
I agree with your comments:
Use the most up-to-date Java 6. There have been many security fixes over the years (including recently, so you can not assume Java 6 is totally safe either). Fixed bugs are in the public domain so might not attract hackers seeking "kudos" but might still attract malicious/criminal hackers. It will be interesting to see if Oracle now decides to continue support for Java 6 beyond February.
Reasons not to update Java: some users require a guarantee that they will get exactly the same results from a specific MATLAB version when running code in 2008 or 2012 for regulatory/legal reasons. Perhaps that is why MATLAB ships a specific release (although not on Mac where the system version is used).
I think Walter has said somewhere that the MATLAB browser is a legacy Firefox browser. So I think you are probably right to recommend using a modern external browser to view web content but the choice of browser matters too - e.g. some disallow certain content when loaded from a local file system.
Java is on 3 billion devices. That is why it gets targeted. Flash is another target. Not so long ago Explorer was the target. Java is a victim of its success. If it were replaced, its successor would become the target.

Sign in to comment.

Sean de Wolski
Sean de Wolski on 18 Jan 2013

0 votes

Here is the solution we published with regard to last week's Homeland Security (US) warning:
Soln:1-L6T44A

1 Comment
Show -1 older comments Hide -1 older comments

Jan
Jan on 18 Jan 2013
Thanks, Sean, for pointing to this important statement. It concerns the current warning of the Homeland Security about a problem of Java 7.10, which allows to break out of the Java sandbox in a browser. The linked solutions explains, that Matlab's built-in browser is not affected.
However, my problem does not concern Java 7.10 in a browser, but 6.04 inside Matlab. E.g. the bug CVE-2008-5353 allows to run arbitrary code under elevated privileges. My question is, if e.g. a malicious student can use Matlab and the included old Java to gain admin privileges on a machine of the computer pool of the university.

Sign in to comment.

Categories

Find more on Startup and Shutdown in Help Center and File Exchange

Tags

Asked:

Jan
Jan
on 13 Jan 2013

Community Treasure Hunt

Find the treasures in MATLAB Central and discover how the community can help you!

Start Hunting!