Time to give Java the boot?

Analysis: The programming language has become one of the weakest links in a PC's and Mac's defenses.

By Andrew Brandt, PC World |  Security, java

Mozilla and Opera, as well as Microsoft, maker of Internet Explorer, have spent the better part of the past decade toughening their browsers against attacks through a relentless parade of updates. Mozilla, for example, lists 2237 bugs -- not all security bugs -- that were fixed in its version 15 release of the Firefox browser, which was published on August 28.

But even if your OS and browser security is inspired by Fort Knox, the bad guys always seem to find a new gap in the armor.   

Java: Weak Link in Security Chain

Now that it's harder to penetrate the browsers and the OS, data thieves have changed their tactics, targeting the two remaining weakest links: Third-party browser plug-ins or add-ons, and users themselves. As third-party plug-ins go, Java remains abused as a vehicle for automated "drive-by" attacks, often enabled by low-cost exploit kits sold on the black market. Forbes published in March a price list showing what nefarious buyers will pay for exclusive access to a new, so-called zero day vulnerability. The reward of $40,000 to $100,000 is more than enough motivation for exploit coders to start early and work late.

Part of the attraction is Java's ubiquity. "It's almost a compliment to Java's developers," says Steve Santorelli, director of global outreach for Team Cymru, a security research nonprofit in Florida. Java, unlike any other browser plug-in, runs in nearly every operating system imaginable. "It comes down to the economics of malware," Santorelli says. Malware authors want the biggest possible return on their investment in development, which means malware that targets the widest possible market.

Java delivers on that investment, though it does so in ways that (probably) make Oracle CEO Larry Ellison cringe. Oracle inherited Java when it acquired Sun Microsystems in 2009, but the company was unwilling to comment for this report.

Fixing, Plugging, and Patching Java

While Oracle (and Sun before it) delivers regular updates to fix Java security issues, getting those updates installed on the computers and devices of all those millions of end-users remains a challenge.


Originally published on PC World |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness