Java Is A Security Disaster – It Is Time To Stop Using It For Real Estate Tours

March 11th, 2013

imagesI’ve had this post simmering on the back back burner for several weeks but it’s time to remind the whole real estate community to stay away from JAVA! First of all a short history of Java as it relates to real estate tours:

  1. During the mid-2000s Java was used extensively as a technology that made 360s and other real estate tour animation work. It was great technology before Flash became widely used. I sill have a bunch 360s of our old listings that require Java to view. Many tour offerings have never been updated.
  2. Over the last year and several months a series of security flaws have been discovered in Java.
  3. Oracle, who acquired Java from Sun Microsystems currently maintains Java has been working at fixing security problems. But they are behind the curve and hackers finding flaws faster than Oracle fix the flaws. Every week for the last 3 weeks Oracle has released security fixes to Java but there are still known unfixed security problems.
  4. Earlier this year Apple removed Java from the OS X distribution. Now you have to manually install it yourself to run it.
  5. A couple of weeks ago some internal Apple developers were infected by a Java exploit at a development site.
  6. Back in January the Department Of Homeland Security advised that all computer users disconnect Java from their browsers. Java is a very popular language and is harmless if it’s not connected to your browser. Many large companies (including banks) have specialized applications written in Java.
  7. Cisco Systems, the company that makes most of the worlds internet routers, has a 2013 security report that says that Java exploits (security flaws) comprised 87 percent of total web exploits.
  8. Technical note: Java has nothing to do with Javascript despite the name similarity.

Given this history and the number of good alternatives for 360 display and tour animation it is clearly no longer prudent or responsible to be using Java as a 360 display or tour technology. I think real estate photographers should be doing everything they can to discourage the use of Java in tours 360 image display.

Within the last week I’ve:

  • Encountered several real estate photographers that still provide 360s the require Java.
  • The top Realtor in my city has a $1M+ listing on that has a tour that requires Java.

Please join me in encouraging real estate photographers and agents to update their tour and 360 display technology.



Share this

16 Responses to “Java Is A Security Disaster – It Is Time To Stop Using It For Real Estate Tours”

  • so do you really think Flash is that much more secure???

  • @Steve- No this is not about Flash… What I’m pointing out is that there are specific known continuing security exploits going on with Java.

  • Hi Larry,
    Here is a link that may be of interest to you and the PFRE readers regarding Java from USA Today’s computer guru:

    The short version is:

    “First, make sure you have the most recent version of Java from Oracle’s site.

    To bring up Java’s new security settings, go to Start>>Computer and type “Javacpl.exe” in the search bar.

    If it doesn’t appear, you may have to find it manually. Go to Start>>Computer and open your Local Disk (C:). Go to Program Files (x86)>>Java>>jre7>>bin and scroll down until you see “javacpl.exe”. On 32-bit computers, the file is in Program Files>>Java>jre7>>bin.

    Run javacpl.exe to load Java’s control panel and select the Security tab. Uncheck the box that says “Enable Java content in the browser.” Then restart any browsers you have running.

    Mac users can find the setting by going to System Preferences and clicking on the Java icon — it looks like a steaming cup of coffee.

    This will disable Java in your browser, but still let you use it for desktop programs.

    Warning: If you do head into your browser settings to check that Java is disabled, you might see something called JavaScript. Don’t disable JavaScript! It’s a different animal and has no security issues.

    Although it’s safer to run Java for a desktop program, it’s best to get it off your machine if you don’t need it.”

    Quoted from USA Today Tech Blog

  • …So what do we do when half of the websites say they’re inaccessible unless you enable Java?

  • Great post Larry. Java is definitely not secure, and to Steve’s comment Flash is not much better. In fact every time you get an notification to update Flash (seems like every other week!) it’s usually because they’ve patched more security flaws. The problem with all these patches is that hackers can and do reverse engineer the patch code to identify the security exploit it was meant to fix, and then use the exploit to hack those who have not yet installed the update. So at the very least make sure you stay updated if you’re using Flash or Java, but going forward HTML5 looks to be a better option. It’s much more secure, more stable and is now fully supported by most modern desktop and mobile browsers.
    If you’re interested in what HTML5 can do, you can learn more about it and see some great demos here:

  • Sorry for the double post, but I can’t even open online .pdf forms (model release templates, etc) without Java. I’m not computer illiterate, but I don’t know how to circumvent the issues that arise if I don’t have Java when so may websites “require” it.

  • @Craig- I don’t find all that many sites require Java… I’ve not had it installed on any of my machines or any of the machines of people in my family that I help out, for at least a year. Java is usually only used if you work for a large company that has decided to use it internally. Some large Swedish banks use it on their sites but for the majority of people you can live with in uninstalled completely.

    If anyone has a site they must use they can turn it on in one browser and only use that browser for Java site access and use a browser that doesn’t have Java connected to the browser for all other access so your risk is minimized.

  • Which Flash are we also talking? Adobe, flash player?

  • Hi Folks, just to clarify, there are 3 different technologies being mentioned in the comments above. They can all be used to create things like tours or slideshows.

    Flash, from Adobe. Pros: content is displayed the same regardless of whether you are using Windows or Mac, FireFox or Internet Explorer. Cons: Requires a plugin and does not work in Apple mobile products like iPhones and iPads. Nutshell: Think fancy animation.

    JavaScript, from Microsoft/Netscape. Pros: requires no plugin and works on iPhone and iPads. Cons: May work differently on Windows vs. Mac and/or FireFox vs. Internet Explorer. Nutshell: Think lightweight software.

    Java, from Sun. Pros: Supposed to work the same regardless of OS or web browser and give you the power of traditional software. The goal of Java was to let a programmer write software once and have it run on anything that has a plugin. Cons: Requires a plugin. The way the plugin works is fundamentally flawed from a security standpoint. Thumbnail: Think heavyweight software that hackers find user-friendly.

    Example: You would use Java to create something like Microsoft Outlook. You would use JavaScript to make something like Google Mail. You would use Flash to create a sexy animated ad promoting the other two.

    As Aric, mentioned, the trend is to use JavaScript because it offers a better balance of form vs. function (animation vs. software) without relying on a plugin.

    Hope this helps.

  • Oi… you gotta have Java installed in the browser just to upload photos to Costco.

  • @Kelvin- Then Costco has more than one uploader!… I just uploaded a large file for a 40×30 canvas print yesterday and I assure you I don’t have Java installed on my iMac.

  • There’s no security concern using front end JavaSCRIPT… just to clarify.

  • Also I’d like to point out, property websites with virtual tours using JavaScript are perfectly safe.

  • @Robert- Yes you are absolutely right!

  • Java, not Java script, is a security Chernobyl. No safe version exists. How do I know this? I have family in the internet security business. Don’t believe me? Follow some serious penetration testing folks on Twitter for a couple of weeks.

    I have Java disabled on all my devices and will not enable it. It’s so bad Apple recentlyunilaterally disabled Java on all OSX computers connected to the internet. They then release an OSX update weeks later to reinstall a version that is safe from the most common exploits. Whether or not it’s literally possible to ever make Java secure without starting from scratch remains to be seen. Large corporations rely on old Java apps for critical IT tasks and are lunable to change over to a more appropriate platform because of the potential for disruption and the replacement/retraining costs.

    Flash is not only insecure, it is evil. Flash is bloated and inefficient beyond imagination. Even Adobe abandoned mobile Flash because the underlying code is so bad it overheated and sucked batteries dry in mobile devices… including the various flavors of Android. I realize there is a religious aspect to attacking/defending Flash because Steve Jobs declared it dead and caused immediate polarization among users and developers. But in fact it too is probably impractical to fix.

  • i’ll try again on the right post this time ha ha

    We might have to take a look into exactly what we are using at our company here in melbourne. no issues security wise so far but definately an important reminder to take a good look at security at all times I agree.

Trackback URI Comments RSS

Leave a Reply