The latest Java zero-day flaw has the tech world in an uproar. This newest hole, actively exploited in the wild, was patched by Oracle yesterday -- only to have multiple ultratrusted security gurus saying Oracle didn't address every bug and some even maintaining it could take Oracle two years to fix all the vulnerabilities.
You know it's a bad day at Oracle when the Department of Homeland Security says this:
This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available.
[ Also on InfoWorld: Java security comes down to 'war of attrition' | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
Java exploits are nothing new -- although this one got so much media coverage that my mother called to ask me how to uninstall Java after watching the morning news shows. I tried to assure her that she didn't need to panic, but apparently she takes Matt Lauer's word over mine.
How much of the threat is hype and how likely is this to be yet another touted "huge attack" that fizzles away into nothingness? Read on.
The sad Java security tale
Installed on over 1.1 billion desktops and 3 billion mobile phones, Java is the world's biggest target for hackers. It has been the top exploit vector for Web browsers for many years. Ask anyone involved with detecting and eradicating malware in the enterprise; Java, they will say, is responsible for most of it.
Java's vulnerability has always saddened me because Java was the first superpopular language built from the ground up with security in mind. It wasn't an afterthought. The developers foresaw how Java might be abused and locked it down with a set of rules, security checks, and a security sandbox.
Ultimately, three details killed the security promise of Java: First, the original security model was too secure. It was so locked down that legitimate developers couldn't take care of normal tasks, like allow you to save a file to your desktop. Java had to scrap the security model and evolve to a scheme that balanced security and functionality.
Second, Java has lots of moving parts, including a virtual machine, runtime engines, type verifiers, bytecode compilers, a security sandbox, garbage collectors, and so on. This means that Java is complex, and security and complexity seldom go well together.
Third, Sun and Oracle have piled on new functionality to keep Java competitive. Every time a new capability is added, a new attack vector appears for hackers to explore.
What do I do now?
A common refrain among security experts is to tell people to uninstall or disable Java if they don't need it. That's still good advice, especially for older versions. Unfortunately, Java is required to run not just small programs and games, but also mission-critical enterprise applications.
Bu there's a difference between the Java that runs in your browser and Java that can run on your desktop computer, phone, or server. The JVM (Java Virtual Machine) allows Java applets to run within a browser. The JVM is a subcomponent of Java, which is a complete language and development environment.