Headlines about Adobe Flash zero-day exploits and calls for the execution of Adobe Flash dominated headlines over the past week or so in the wake of the Hacking Team hack. Meanwhile, Oracle pushed out a security update. The Oracle update fixed 193 security vulnerabilities—yes one, nine, three…just seven short of 200—including 25 just for Java. While we’re tossing Adobe Flash overboard let’s send Java with it.
Java and Flash are like the twin harbingers of doom when it comes to computer security. They’re like a devastating tag team attack. At any given point if there isn’t a zero-day flaw to exploit in Adobe Flash there’s probably one in Java—and vice versa.
In a post imploring users to update or just remove Java completely Graham Cluley points out, “The security hole was particularly notable because it is thought to be the first new zero-day vulnerability that has targeted Java for two years.”
I agree with Cluley, but I would emphasize the “thought to be” a little more. The Java zero-day is the first that has been publicly disclosed and patched in a couple years. However, the very nature of zero-days is that we don’t know about them until we know about them.
A couple weeks ago you might have assumed Adobe Flash was relatively secure. Then the Hacking Team hack revealed that the company had kept three different Adobe Flash zero-day exploits in its arsenal to enable it to install software on target computers without the users knowledge. It seems likely that there are Java zero-day exploits out there we just don’t know about.
Stephen Pao, GM of Security at Barracuda, sent me this statement that reads like an open letter to Oracle.
At Barracuda, we appreciate Oracle’s continued support of the Java platform, as we continue to use Java as one of our strategic development environments on the server-side, both in our backend operations at Barracuda Central, as well as in some of our products. The Java ecosystem remains rich, with a robust set of open source and third-party toolsets, as well as a valuable development community.
That said, we appreciate the ongoing support for Java on the client, but this client-side support is becoming far less relevant to our business today as we have observed a continued movement away from Java deployed at the client endpoint. As such, we have continued to offer new alternatives to Java to provide dynamic end-user experiences through a combination of technologies, including use of HTML5 and native clients for both desktop and mobile platforms.
Java and Flash are certainly not the only vulnerable applications out there—in fact I’m not sure there is any such thing as bulletproof software with absolutely no flaws to exploit. Years of repeated major malware campaigns and zero-day exploits demonstrate undeniably, though, that Java and Flash are more vulnerable than some and definitely more targeted than most.
The incentive to target exploits at Java and Flash is based in part on their success. Both platforms / applications are somewhat ubiquitous and can be found installed on the vast majority of systems—even across different operating systems. Attackers like to exploit Java and Flash because a successful attack has a much broader pool of potential targets to compromise.
If you insist on keeping Java or Adobe Flash on your PC you have to be vigilant about updating it. Most of the time the bad guys are already exploiting flaws before the patch is issued, so even if you apply the update immediately it just means you’re protected against yesterday’s threats.
Unless you absolutely need them for some mission-critical application, it’s time to remove the twin harbingers of doom and just uninstall Java and Adobe Flash.