The Mac Security Blog

Security & Privacy

Java is Still Not Particularly Safe

Posted on January 16th, 2013 by

It’s been sort of a long week of bad news for Oracle lately, with the decline in popularity of Java as a programming language, followed by a serious and widespread Java zero-day exploit, followed by news that the patch was an effective but incomplete solution to the underlying problem. Now it would seem another Java zero-day exploit is already being sold in cybercrime markets.

What it comes down to is this: Java is a very powerful, very widespread, and not very secure platform. It’s been known for quite some time that Java is full of vulnerabilities, and the list of open issues does not seem to be decreasing. The second vulnerability involved in last week’s Java zero-day is not likely to be completely addressed for quite some time, as it deals with the interactions of the underlying infrastructure.

Java is a very tempting target for malware developers, as it is available to all major OSes. This will mean a brisk trade in the cybercrime underground for zero-days for a long time to come. While the recent patch that was quickly released by Oracle puts out the raging zero-day fire, there are plenty more smouldering issues that are ready to erupt in flames at any moment. It is helpful that Oracle has increased Java’s default security level, requiring users to acknowledge and click Java content before it will run, but they allow signed content to run unimpeded. Signing applications has never been a significant hurdle to malware developers. This may delay the next major zero-day problem, but not for long.

As Apple users, we’re fortunate in that Apple has been weaning us off Java for years. From a security standpoint, this was a very smart choice. But we have decidedly not been immune. Flashback hit many hundreds of thousands of OS X users last year because a zero-day Java vulnerability allowed it to be silently installed. Several other, less prevalent malware took advantage of this and other Java vulnerabilities to install themselves without user interaction, throughout the course of 2012.

I know that many people are unable to disable Java from the browser in their environment, as many popular apps and websites do still require Java in the browser to function. Now is a good time to bring up that discussion with the people who make these decisions. Ask your friendly local IT person if there are plans to move away from those Java-based apps you use at work. Ask your bank or app developers that require Java to run if they’re going to make a version without. It’s all well and good when security people tell you to disable Java, but if your daily activities require it, it’s not a very realistic recommendation. Some of the responsibility needs to rest with the people who develop the apps and make the buying decisions to make different choices – ones that don’t put you, the customer, at risk.