At one time, its Windows operating system was a prime target for hackers. It was said a Windows computer that connected to the Internet without virus protection would be infected in seconds.
Java is in the same boat. Oracle has been plugging holes in the software for more than a year in what often seems like an unending game of vulnerability wackamole.
For example, earlier this month, Oracle rolled out a massive update to Java 7 that addressed 50 security threats in the software. This week — after widely publicized attacks on Facebook and Apple through Java vulnerabilities — Oracle rolled out another security update with five additional fixes.
One of the problems with Java is it has been around so long and is so widely used, it can be hard to avoid contact with it. Just last week, for instance, among Microsoft’s Patch Tuesday fixes was one that addressed a vulnerability found in Oracle Outside In libraries. Outside In is used to convert files from various formats so they can be viewed in a web browser.
In Exchange, those libraries allow Outlook Web Access users to read certain document types attached to emails in a browser window without opening the native application for those documents.
So when an email arrives with an attachment that’s a Word, Excel, PowerPoint or PDF file, a link labeled “Open as Web Page” appears next to it. With a click of the link, a version of the attachment will open in OWA’s WebReady Document Viewing.
One of the drawbacks of using WebReady Document Viewing is that it uses Oracle Outside In libraries to display some document types. Given Oracle’s security problems, if alternatives were available, it might be a good idea to take advantage of it.
Such an alternative exists, in part, in Outlook 2013. It’s called Office Web Apps Server. File types displayed by OWAS by default include:
- • Word documents with extensions doc, docx, dot;
- • Excel documents with extensions xls,xlsx, xlsm, xlm and xlsb; and
- • PowerPoint documents with extensions ppt, pptx, pps, ppsx, potx, pot, pptm, potm and ppsm.
As you can see, OWAS is limited to file formats in Microsoft products.
OWAS operates differently from WebReady Document Viewing found in previous versions of Exchange. Webready Document View is part of Exchange itself in previous versions of the software. So when a user views an attachment, what needs to happen to view that attachment happens on your Exchange server.
With OWAS, when an attachment is viewed in an email by an Exchange, Lync or SharePoint user, a Web app Open Platform Interface call is made to the OWA server and the document rendered from there.
Although OWAS may provide a more secure alternative to Java libraries, it does require its own server — either a separate box or virtual box — to run. That can be a barrier to implementation in some organizations.
On the other hand, there can be advantages to standalone deployment, too. You can apply updates to OWAS on a different timetable from Exchange, Lync and SharePoint. It also alleviates the burden of optimizing your SharePoint infrastructure to accommodate Office Web Apps.