Java Runtime - How much of a Security Threat?
 

I've been reading a lot about Java being a security threat on web browsers, even Homeland Security recommends to disable it IMMEDIATELY. But what about the full java environment without any web-plugin? I ask this because I have two applications running on VBox which require jre: tuxguitar and Libre Office.

I can't find any studies about this. If anyone could help, I'd appreciate :)

The reason why a Java plug-in is not recommended, is that you probably don't want software from unknown sources to be loaded, without your knowledge or consent, such that they have access to the full Java programming language.

Java itself has very limited use (if you would need it for business purposes you would know), there's java-based malware and the amount of flaws is not zero[0].


As far as Java as an infection vector is concerned that depends on you running[1] or allowing anyone to execute Java applications. If you're not exposing any Java-based services to the 'net [2] and won't allow 'net-facing client applications to execute Java then it is presumed only local system or authenticated accounts are able to execute (/usr/bin/)java and related applications. As you're running those applications inside VirtualBox (could even sever the network connection as they wouldn't need that anyway) you've practically isolated them from the rest of the system. I don't know about Tuxguitar but Libre Office and OpenOffice.org IIRC only require the JRE for database-related functionality. Note with the audit service you can also track who executes Java[3].