Java applications, widely used in mobile games, robots, embedded systems, and business applications, have been scrutinized by European researchers led by Alexandre Bartel, Professor of Software Engineering and Security at Umeå University.
The study, conducted in collaboration with other researchers, reveals critical security flaws in software written in Java, a programming language with a significant global footprint.
"We have identified weaknesses and how they have been addressed. The problem is that the programmers seem to repeat the same mistakes over and over again and therefore reintroduce the vulnerabilities," Bartel said in a statement.
TO GO WITH "SKorea-NKorea-IT-security,FOCUS" by Lim Chang-Won This photo taken on February 14, 2013 shows a young computer expert studying at an internet security training centre of the state-run Korea Information Technology Research Institute (KITRI) in Seoul.
Security Flaws in Java Applications
The vulnerabilities in focus were related to the deserialization process, wherein packaged information is restored to its previous state. This process, crucial for applications handling user settings, game functions, shopping carts, and banking operations, was found to be susceptible to exploitation.
It is worth noting that deserialization is a process in computer science that involves reconstructing an object or data structure from a serialized form.
Serialization, the opposite of deserialization, refers to the process of converting an object or data structure into a format that can be easily stored, transmitted, or reconstructed. This format is often a stream of bytes.
The researchers emphasize that these weaknesses pose potential risks to businesses, governments, and public authorities, with the potential for significant financial consequences.
They investigated how Java vulnerabilities, particularly those involving deserialization, are addressed. Bartel points out that the study identifies recurring mistakes made by programmers, leading to the reintroduction of vulnerabilities.
The findings reveal that the flow of bytes, representing the flow of information, allows attackers to modify information during the deserialization process, thereby gaining control over the receiving system.
Read Also: Oracle Sues Google for Copying Android on Java, Supreme Court Says It's Fair Use and Gives Pass
Major Companies Affected
The study highlights examples of major companies affected by these flaws, including PayPal, the San Francisco Department of Transportation, and Equifax. Vulnerabilities led to unauthorized access, control over computers, and the theft of a massive amount of personal data, respectively.
"Our findings suggest that the entire supply chain of the developed application should be thoroughly verified throughout the application's lifecycle. The findings are very serious as they have the potential to be costly, not only for companies but also for society at large," Bartel noted.
Serialization and deserialization are fundamental computer science processes involving data structure storage and transfer. They also play critical roles in various sectors, such as pharmaceuticals, game development, and the financial industry.
The researchers said they are actively working on developing more efficient methods to detect and prevent these vulnerabilities, aiming to enhance the security of Java applications.
Related Article: Windows and Linux Devices Targeted by New Java-Based Ransomware; Java File Format Makes it Difficult to Detect
