Is it time to give Java the boot? Experts say yes.
Java, the programming language designed to make the web fun and interactive, has become one of the weakest links in a PC’s and Mac's defenses against external threats. Consider the most recent Java vulnerability, a weakness currently being exploited by malware distributors: When Oracle, Java's maker, released an emergency update to fix the software, security analysts reported that even the hot-off-the-presses code contains additional vulnerabilities.
But the most recent security problems with Java are far from unique. Security firm Sophos, for example, blames underlying Java vulnerability for attacks by the Flashback malware last April that infected one out of five Macs.
The risks don't outweigh the rewards, security experts say. “I'd say 90 percent of users don't need Java anymore,” says Dominique Karg, the founder and chief hacking officer of AlienVault, a security software company. “I consider myself a ‘power user’ and the last and only time I realized I had Java installed on my Mac was when I had to update it.”
If you own a PC you know that nagging feeling of insecurity when you're asked to update your Windows PC for the umpteenth time. It may only be moderately disruptive, but it’s a monthly reminder that your computer, and the personal information contained therein, remains a target for criminals.
Over the years both Apple and Microsoft have hardened their systems’ defenses. The Mac operating system has been near-bulletproof to vulnerabilities, and the company no longer ships new devices with Java preinstalled. Microsoft has made a full-court press to eliminate operating system-level vulnerabilities since the Conficker worm outbreak in late 2008, and no comparable worms have attacked Windows systems since then.
Mozilla and Opera, as well as Microsoft, maker of Internet Explorer, have spent the better part of the past decade toughening their browsers against attacks through a relentless parade of updates. Mozilla, for example, lists 2237 bugs – not all security bugs – that were fixed in its version 15 release of the Firefox browser, which was published on August 28.
But even if your OS and browser security is inspired by Fort Knox, the bad guys always seem to find a new gap in the armor.
Java: Weak Link in Security Chain
Now that it's harder to penetrate the browsers and the OS, data thieves have changed their tactics, targeting the two remaining weakest links: Third-party browser plug-ins or add-ons, and users themselves. As third-party plug-ins go, Java remains abused as a vehicle for automated “drive-by” attacks, often enabled by low-cost exploit kits sold on the black market. Forbes published in March a price list showing what nefarious buyers will pay for exclusive access to a new, so-called zero day vulnerability. The reward of $40,000 to $100,000 is more than enough motivation for exploit coders to start early and work late.
Part of the attraction is Java’s ubiquity. “It’s almost a compliment to Java’s developers,” says Steve Santorelli, director of global outreach for Team Cymru, a security research nonprofit in Florida. Java, unlike any other browser plug-in, runs in nearly every operating system imaginable. “It comes down to the economics of malware,” Santorelli says. Malware authors want the biggest possible return on their investment in development, which means malware that targets the widest possible market.
Java delivers on that investment, though it does so in ways that (probably) make Oracle CEO Larry Ellison cringe. Oracle inherited Java when it acquired Sun Microsystems in 2009, but the company was unwilling to comment for this report.
Fixing, Plugging, and Patching Java
While Oracle (and Sun before it) delivers regular updates to fix Java security issues, getting those updates installed on the computers and devices of all those millions of end-users remains a challenge.
Security firm Secunia, which tracks the software installed on end-user PCs, reports quarterly on Java vulnerabilities and how rapidly they’re fixed. The firm’s fourth-quarter Security Factsheet for Java reports that in 2011 Oracle released five advisory bulletins, warning of 58 vulnerabilities involving Java. Patches or updates were available on the day the bulletin was published in only three of the five cases. During 2011, 78 percent of malware attacks targeted vulnerable third-party applications, including Java as well as Adobe’s Flash and Acrobat.
Leaving old, vulnerable versions of any Internet-connected software installed on a computer is a recipe for disaster.
“In many cases, Java’s built-in upgrading capability fails outright, leaving normal users stranded,” says Darien Kindlund, senior staff scientist at anti-malware company FireEye.
“Ever since the mainstream adoption of 64-bit Windows 7, Java (and other add-ons, like Flash) suffer from 32-bit/64-bit ‘fractionalization,’” Kindlund explains. “Just because you install a patched, 64-bit version of Java, does not mean you’re fully protected, if a vulnerable, 32-bit version of Java is still installed on the system (or vice-versa).”
AlienVault’s Karg notes that Java is rightly no longer part of most operating systems. “Java shouldn't come pre-installed with common OSes,” Karg says “It doesn't come with Linux by default, and the latest Windows version doesn't bundle it either.”
By now, a few weeks after the Flashback malware outbreak struck OSX, it’s well understood that Apple releases its own Java updates, and this sometimes means Mac users don’t get access to the latest version for weeks or months after their Windows-using counterparts.
This all leaves open the question of whether end-users – meaning you – should even leave Java on your computer and perhaps uninstall it entirely instead of updating.
“If you use your home PC for Facebook and YouTube, you’re still of interest to miscreants, but nothing like the level of interest if you’re managing payroll or finances for a business,” Santorelli says.
However, Java runs the framework underlying the Android operating system, and is used by companies like Citrix to launch its GoToMeeting, GoToWebinar, and GoToMyPC services when loaded through a browser.
Some experts recommend virtualization as a workaround for businesses that need to use those Java-based services. Installing it in a virtual machine keeps it at arm’s length from critical systems. The home user, especially one focused on Facebook and the Web, may be able to dispense with Java altogether.
Fans of HTML 5 point to this alternative to delivering the multimedia functions that Java enabled earlier in the Web’s development. It is a focus of both Adobe development and AT&T’s work, and appears to be gaining momentum this year, although it targets Flash more than Java.
The question of whether to keep Java comes down to “your risk profile, and how critical that system is,” says Team Cymru’s Santorelli. “If the consequences of a compromise would be catastrophic,” uninstall Java.
Andrew Brandt is a freelance writer and security expert.