If you've been paying any attention to the security breaches hitting Apple, Facebook, Twitter, NBC, and others these past few weeks, you've probably noticed a common culprit: our poor old pockmarked friend, Java.
As a web plugin, Oracle's aging code deployment platform has practically been a revolving door for widespread malware attacks recently, and for years the general consensus has often been that its risks have outgrown its usefulness. After spending a week Java-free back in 2010, PCMag's Larry Seltzer concluded that the Java platform as a whole "is pretty clearly a failure, and all that remains of it is a big fat attack surface on your computer."
The situation doesn't look to be getting any better: since last year, zero-day exploits have been appearing with a crippling consistency, and lately Oracle has found itself fervently rushing to apply patches on an almost monthly basis. One of them, which emerged in January, caused Apple to start blocking Java 7 completely on OS X. And even after it had been patched, the US Department of Homeland Security's Computer Emergency Readiness Team (CERT) joined security experts in recommending that users keep their Java browser plugins disabled indefinitely. Now many are beginning to wonder, as they have many times before, whether the platform and its associated language are finally on their last legs, about to be pummeled out of existence by hackers and a declining developer base.
The thing is, like many successful platforms, part of what makes Java so dangerous is also its main selling point: it's everywhere. Java's original stewards, the now-defunct Sun Microsystems, built it as an intermediary for cross-platform code deployment, and today its new owners at Oracle brag that Java runs on more than 3 billion devices — the allure is that you only need to write code once and you've got your software running on Windows, Mac, and Linux PCs, plus a whole host of other compatible devices to boot.
It should be no surprise, then, that the criminal hacking underground has taken such a keen interest. Less than 24 hours after Oracle patched a critical vulnerability in mid-January, security researcher Brian Krebs observed that yet another unpatched exploit was already being sold on the black market to two buyers at $5,000 a pop. After loading those exploits into crimeware tools to foist malicious code onto heavily-trafficked websites, malicious actors suddenly have an open doorway to millions upon millions of devices that merely connect to an infected URL. That's exactly what happened with the recent exploit that attacked iPhoneDevSDK.com and led to an attack on Apple itself. From there, they can run targeted attacks which exfiltrate data, install remote access tools, and do all manner of other nasty stuff until Oracle manages to patch the vulnerability. And since developers are involved, there's even the opportunity to inject malicious code directly into the apps themselves.
"Java will be hacked on until it’s dead or disabled"
"Java is the flavor of the day, just like Flash and others were before it," says independent security researcher Elliott Cutright in an email sent to The Verge. "It will be hacked on until it’s dead or disabled, then hackers will move on to the next piece of software."
But the solution isn't as simple as giving Java the boot. "I'm not sure if we could just 'ditch' Java right now even if we wanted to. While its not used as widely in businesses these days as it once was, it is still prevalent enough to make dropping it altogether very difficult," says Cutright. For example, Android developers depend on a host of development tools which all require a Java installation, leaving them all vulnerable whenever a new exploit comes along. Though it's worth noting that Android itself remains unaffected, since the OS runs on software that's only derivative of Java, and it doesn't include a plugin for its browser. There's also the fact that many businesses intentionally stay on older, unpatched versions of Java, because upgrading would break their software.
The best way to stay safe right now, security experts keep saying, is to keep Java unplugged from the browser on your PC (read here on how to do that) and maybe keep an extra browser with Java enabled for the rare occasions you actually need it. But in the long-term, the only way for users to break the cycle — and for Java to survive on the web — depends on whether Oracle decides to open up the way it mitigates risk to other security firms.
"Oracle is just playing an endless game of Whac-A-Mole."
"It’s very frustrating that we don't already have a copy of the Java exploit that affected Apple," says Sean Sullivan, a security advisor at F-Secure. "We could be doing so much testing already. And by sharing the load, antivirus (and other security) vendors can help give Java users the security that they need. Otherwise, Oracle is just playing an endless game of Whac-A-Mole."
"They are known for taking their time with vulnerabilities disclosed by researchers before releasing patches," says Cutright. "They really need to improve their relations with the community and have a more efficient process for effectively handling and fixing security vulnerabilities before they open the floodgates with a [Google-like] bug bounty."
Oracle did not respond to a request for comment.
Adobe's Flash, another browser plugin with a sordid history, was once the same kind of low-hanging fruit. But that changed two years ago, Sullivan says, when Adobe joined MAPP, an early access disclosure program headed up by Microsoft that gives security companies a head-start in finding vulnerabilities. "With that information, we can better prepare for exploit detection and mitigations," says Sullivan. "Basically, Adobe became a team player."
In the future, HTML5 is probably the best hope of relieving the need for browser plugins like Flash and Java. But in the meantime, the onus lies on Oracle to weather the storm using all the resources available — and on users to seal off the offending attack vectors. "This goes for everything, not just Java," says Cutright. "Limit your attack surface and you will be more secure at the end of the day. But you will never be 'hack proof.' No matter what the sales guys tell you."