• United States




Patching has failed, so it’s time for Java to go

Jan 22, 20144 mins
Application SecurityData and Information SecurityJava

Oracle pushes out Java patches promptly, but organizations don't install them; wholesale removal of Java is the only sensible answer

When Cisco released its 2014 Annual Security Report last week, we were told that 91 percent of all successful Web exploits involve Oracle Java JRE — and 76 percent of those Java users are running an unsupported version. You read that right: 91 percent!

Lest you think Cisco’s data represents an aberration, Java has led the way as the No. 1 vulnerability since at least June 2010, when Microsoft reported Java overtook Adobe PDFs as the top concern. Karpersky blamed Java for 50 percent of successful Web exploits in 2012. Of course, I’ve been talking about it for years, most recently in response to the frenzy around the Java threat a year ago.

[ Also on InfoWorld: Ditching Java would solve the security conundrum of old, vulnerable Java versions that won’t go away. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

Java exploits just seem to be going up, up, up. Is it finally time to declare the use of Java over? Has it finally outlasted its welcome?

My answer, at long last: Yes. I rarely advocate such drastic measures, and this is my own opinion and not that of my employer, but the facts are too startling to ignore. It’s time to get rid of Java on clients.

I think any company actively allowing the use of Java within its environment is accepting an unreasonably high risk of exploitation. Eradicating or securing Java in your enterprise is the single best thing you can do to minimize computer security risk. Nothing else you do — smart cards, long passwords, biometrics — will reduce risk as well as fixing your Java problem.

Interestingly, Oracle or Java’s previous owners shouldn’t get all the blame. Heck, most of the successful exploitations are exploitations of already patched vulnerabilities. Oracle released a patch and begged you to deploy it, and still you didn’t. That hesitation, more than any other factor, is responsible for the bad rap Java is earning. It’s not like Java is the program with the most exploitable bugs in a given year. That distinction belongs to Google Chrome, Mozilla Firefox, and Apple iTunes.

For many years, it was difficult to initiate a patch. Even if you patched it, Sun (Java’s last owner) often left the older, unpatched, versions behind. And malware can query your computer for what version of Java you have available before deciding which exploit to try.

Today, Java is easy to patch. Java comes with a built-in autopatching routine that, if allowed to run, will close the latest known vulnerabilities and ensure older versions are no longer left behind. If you forget to patch, Java will bug you to death.

The problem is that application developers are either scared to patch Java because updates often break existing software or because they can’t (as the version is hard coded). Every company I talk to says unpatched Java is a huge problem, but they are prevented from patching it due to operational concerns.

It’s time for computer security to win out. Like the rebalancing currently going on in the U.S. government about the people’s expectation of privacy against NSA snooping, so too it is time for computer security teams to be allowed to tell developers and business owners: Get rid of it!

I’m not naïve. I realize this will result in all kinds of pushback from those who say it’s too difficult to retire Java applications or rewrite or replace them. But it must be done.

The sad fact is that Oracle is patching Java. We aren’t. And if we can’t patch it better, we need to get rid of it.

This story, “Patching has failed, so it’s time for Java to go,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author