Blog archive

Could Security Woes Eventually Kill Client-Side Java? Analysts Weigh In...

More on this topic:

Client-side Java has a big, bright bull's eye painted on it, and black hats just can't seem to resist shooting at it. Oracle was relatively quick to response to news of the latest critical vulnerability in Java 7 (revealed last Thursday; fixed by Sunday), but many security mavens have been unwilling to tell users that it's safe to enable Java in their browsers again. It didn't help that the U.S. Computer Emergency Readiness Team (US-CERT), which is part of the U.S. Department of Homeland Security (DHS), has issued a warning to Average Joe computer users to disable Java.

After more than a year of headline-grabbing revelations of new security flaws, is it fair to ask whether client-side Java is living on borrowed time? Some industry watchers think so.

Although Java will remain alive and well on the server, says Mike Gualtieri, principal analyst at Forrester Research, the steady surfacing of security vulnerabilities we're seeing today on the client side is likely to kill any chance that Java will play a bigger role on the desktop or mobile devices in the future.

"It's like all Java developers were just diagnosed with a devastating, incurable disease," Gualtieri said. "What are you going to do? Bite your tongue, keep your head down, and keep writing code."

Al Hilwa, program director at industry analyst firm IDC, points out that any add-on to a browser is going to increase the surface area for security attacks. And Oracle complicates things by bundling the Java browser extension with the Java runtime environment (JRE).

"Browsers are powerful gateways, and when they're used as platforms for extensions from other vendors (e.g. Java from Oracle or Flash from Adobe) the picture of management and accountability for security becomes complicated," he said. "This is why the industry is shifting to HTML5 for browser applications, so that the browser vendors own the security of the platform end-to-end."

Java has been gaining popularity as a target for a few years now, observes Jerome Segura, senior security researcher at anti-malware solutions provider Malwarebytes. It surpassed the Adobe Reader about a year ago, which had been the leading target, in part because of changes Adobe made to its sandbox, but largely because Java is now so widely deployed across so many devices and platforms.

It's also Java's inherent complexity that invites exploitation, Segura said, because that quality increases the number of possible bugs in the code, and thus, the number of potential vulnerabilities. Another problem is Oracle's tendency to leave the end users in charge of updates. Oracle's remedy for the current problem, for example, was to fix one of the two bugs behind it directly, and leave the users to update the default security settings to fix the second bug.

Sorin Mustaca, product manager and IT security expert at German security solutions provider Avira, applauds Oracle for acting quickly to fix the latest zero-day vulnerability, but says there's a downside to such fast action.

"When you fix such an important bug in such a short time under high pressure, the result is that you will see even more bugs like that in the future," Mustaca said. "But also, our feeling is that Oracle has gotten into the habit of reacting to a crisis -- to putting out fires -- instead of mitigating. And so this is why we have mixed feelings about this."

Mustaca agrees that Java's widespread deployment lies at the root of its recent appeal as an exploitation target.

"The number of devices has exploded in the past two to three years," he said. "And Java runs on almost all devices. Oracle says that it's on more than three billion of them -- everything from your computer to your car to your frig. And it's an accepted technology, even by Apple. So of course it's going to be a target, and of course we are going to react strongly when it is exploited. It has a much bigger impact."

Hilwa points out that Java has attracted the attention of the "malware industrial complex," which is evolving into a "fast moving, well capitalized underworld of software-for-hire available to anyone willing to pay." Automated kits that are now available to exploit any security hole within days, if not hours, after they become known.

"The ante is regularly upped by the malware industry," he said, "and companies who want to be in the plug-in business are essentially engaged in an arms race. And it's relatively difficult for end-users to verify the safety of all the different browsers they use. This puts the onus on Enterprise IT to create awareness for their users. So Oracle needs to step up their investment. No doubt the company understands this now."

Posted by John K. Waters on January 16, 2013