If you use Java like most other programming languages, e.g. to write standalone applications, it is no less secure than other languages and more secure than C or C++ because of no buffer overflows etc.
But Java is regularly used as a plugin inside the web browser, e.g. similar to Flash. Because in this case the user runs untrusted code without having explicitly installed it, the idea is to have the code run inside a limited sandbox, where it should not be able to somehow act against the system or the user (e.g. read local files and send them to the website, scan the local network etc). And this is where Java failed in the recent years, e.g. new bugs popped up sometimes on a daily basis which allowed escaping from the sandbox.
Also, sometimes bugs in the byte code interpreter or native libraries lead to buffer overflows and could compromise the system, but in this regard Flash is usually considered worse.
And as for the other languages being better: these usually can't even run as untrusted code inside a sandbox (exception is JavaScript and maybe Flash), so they would be even worse because there is no inherent way to limit their interaction with the system.
Answer from Steffen Ullrich on Stack ExchangeIf you use Java like most other programming languages, e.g. to write standalone applications, it is no less secure than other languages and more secure than C or C++ because of no buffer overflows etc.
But Java is regularly used as a plugin inside the web browser, e.g. similar to Flash. Because in this case the user runs untrusted code without having explicitly installed it, the idea is to have the code run inside a limited sandbox, where it should not be able to somehow act against the system or the user (e.g. read local files and send them to the website, scan the local network etc). And this is where Java failed in the recent years, e.g. new bugs popped up sometimes on a daily basis which allowed escaping from the sandbox.
Also, sometimes bugs in the byte code interpreter or native libraries lead to buffer overflows and could compromise the system, but in this regard Flash is usually considered worse.
And as for the other languages being better: these usually can't even run as untrusted code inside a sandbox (exception is JavaScript and maybe Flash), so they would be even worse because there is no inherent way to limit their interaction with the system.
The security vulnerabilites reported are not about Java (the programming language), which, by virtue of the JVM enforcing memory safety, is actually more robust than languages such as C or C++, where buffer overflows and buffer over-reads remain a threat, and can result in messes like Heartbleed.
Instead, the vulnerabilites reported are in the Java Sandbox, which attempts to enforce a priviledge model that permits safe execution of untrusted code, and is most famously used to permit the automatic execution of Java Applets in a browser. That sandbox is riddled with holes. Also, Oracle releases patches (the "critical patch updates") only 4 times a year. Needless to say to browser vendors are not happy about this. Firefox, for instance, is requiring user authorisation to launch a Java Applet since Firefox 26.
The reason the press reports do not make that distinction is that Oracle uses the "Java" trademark both for the programming language, and the browser plugin that runs applets. In fact, if an ordinary user encounters the Java trademark, it probably refers to the latter.
It is somewhat speculative why exactly the Sandbox remains vulnerable. If you ask me, one reason is that the same API is used both with and without the Sandbox, and most Java code runs without the Sandbox (because the code is trusted). As a result, it is quite possible for a developer to forget about that obscure feature when changing the Java API or its implementation, accidentally exposing things that should be protected (to illustrate how easy that is, behold the lengthy Secure Coding Guidelines for Java SE). Another but related reason is the sheer size of the Java API (5800 classes, and nearly 50,000 methods, for Java SE 6).
IMHO, that's a very misleading statement. In Java, you cannot access out-of-bound arrays, and you don't have pointers, and thus several security flaws like stack corruption or buffer overflow is impossible to exploit in Java. But Java is not inherently more secure than any other language; it's just there is less chance to make mistakes that can cause security flaws. In effect, this reduces security flaws, but it's totally misleading to say Java is secure.
There are two things that make Java "more secure" than other language in certain aspects:
- Automatic array bounds checking and the lack of manual memory management make certain classes of programming mistakes that often cause serious security holes (such as buffer overruns) impossible. Most other modern languages share this feature, but C and C++, which were dominant (and still are major) application development languages at the time Java first appeared, do not.
- The Security Manager concept makes it relatively easy to run Java applications in a "sandbox" that prevents them from doing any harm to the system they are running on. This played an important part in promoting Java during its early days, since Applets were envisioned as a ubiquitous, safe way to have client-side web applications.