Mozilla and Opera, as well as Microsoft, maker of Internet Explorer, have spent the better part of the past decade toughening their browsers against attacks through a relentless parade of updates. Mozilla, for example, lists 2237 bugs -- not all security bugs -- that were fixed in its version 15 release of the Firefox browser, which was published on August 28.
But even if your OS and browser security is inspired by Fort Knox, the bad guys always seem to find a new gap in the armor.
Java: Weak Link in Security Chain
Now that it's harder to penetrate the browsers and the OS, data thieves have changed their tactics, targeting the two remaining weakest links: Third-party browser plug-ins or add-ons, and users themselves. As third-party plug-ins go, Java remains abused as a vehicle for automated "drive-by" attacks, often enabled by low-cost exploit kits sold on the black market. Forbes published in March a price list showing what nefarious buyers will pay for exclusive access to a new, so-called zero day vulnerability. The reward of $40,000 to $100,000 is more than enough motivation for exploit coders to start early and work late.
Part of the attraction is Java's ubiquity. "It's almost a compliment to Java's developers," says Steve Santorelli, director of global outreach for Team Cymru, a security research nonprofit in Florida. Java, unlike any other browser plug-in, runs in nearly every operating system imaginable. "It comes down to the economics of malware," Santorelli says. Malware authors want the biggest possible return on their investment in development, which means malware that targets the widest possible market.
Java delivers on that investment, though it does so in ways that (probably) make Oracle CEO Larry Ellison cringe. Oracle inherited Java when it acquired Sun Microsystems in 2009, but the company was unwilling to comment for this report.
Fixing, Plugging, and Patching Java
While Oracle (and Sun before it) delivers regular updates to fix Java security issues, getting those updates installed on the computers and devices of all those millions of end-users remains a challenge.