Is it time to give Java the boot? Experts say yes.
Java, the programming language designed to make the web fun and interactive, has become one of the weakest links in a PC's and Mac's defenses against external threats. Consider the most recent Java vulnerability, a weakness currently being exploited by malware distributors: When Oracle, Java's maker, released an emergency update to fix the software, security analysts reported that even the hot-off-the-presses code contains additional vulnerabilities.
But the most recent security problems with Java are far from unique. Security firm Sophos, for example, blames underlying Java vulnerability for attacks by the Flashback malware last April that infected one out of five Macs.
The risks don't outweigh the rewards, security experts say. "I'd say 90 percent of users don't need Java anymore," says Dominique Karg, the founder and chief hacking officer of AlienVault, a security software company. "I consider myself a 'power user' and the last and only time I realized I had Java installed on my Mac was when I had to update it."
If you own a PC you know that nagging feeling of insecurity when you're asked to update your Windows PC for the umpteenth time. It may only be moderately disruptive, but it's a monthly reminder that your computer, and the personal information contained therein, remains a target for criminals.
Over the years both Apple and Microsoft have hardened their systems' defenses. The Mac operating system has been near-bulletproof to vulnerabilities, and the company no longer ships new devices with Java preinstalled. Microsoft has made a full-court press to eliminate operating system-level vulnerabilities since the Conficker worm outbreak in late 2008, and no comparable worms have attacked Windows systems since then.
Mozilla and Opera, as well as Microsoft, maker of Internet Explorer, have spent the better part of the past decade toughening their browsers against attacks through a relentless parade of updates. Mozilla, for example, lists 2237 bugs -- not all security bugs -- that were fixed in its version 15 release of the Firefox browser, which was published on August 28.
But even if your OS and browser security is inspired by Fort Knox, the bad guys always seem to find a new gap in the armor.
Java: Weak Link in Security Chain
Now that it's harder to penetrate the browsers and the OS, data thieves have changed their tactics, targeting the two remaining weakest links: Third-party browser plug-ins or add-ons, and users themselves. As third-party plug-ins go, Java remains abused as a vehicle for automated "drive-by" attacks, often enabled by low-cost exploit kits sold on the black market. Forbes published in March a price list showing what nefarious buyers will pay for exclusive access to a new, so-called zero day vulnerability. The reward of $40,000 to $100,000 is more than enough motivation for exploit coders to start early and work late.
Sign up for CIO Asia eNewsletters.