Part of the attraction is Java's ubiquity. "It's almost a compliment to Java's developers," says Steve Santorelli, director of global outreach for Team Cymru, a security research nonprofit in Florida. Java, unlike any other browser plug-in, runs in nearly every operating system imaginable. "It comes down to the economics of malware," Santorelli says. Malware authors want the biggest possible return on their investment in development, which means malware that targets the widest possible market.
Java delivers on that investment, though it does so in ways that (probably) make Oracle CEO Larry Ellison cringe. Oracle inherited Java when it acquired Sun Microsystems in 2009, but the company was unwilling to comment for this report.
Fixing, Plugging, and Patching Java
While Oracle (and Sun before it) delivers regular updates to fix Java security issues, getting those updates installed on the computers and devices of all those millions of end-users remains a challenge.
Security firm Secunia, which tracks the software installed on end-user PCs, reports quarterly on Java vulnerabilities and how rapidly they're fixed. The firm's fourth-quarter Security Factsheet for Java reports that in 2011 Oracle released five advisory bulletins, warning of 58 vulnerabilities involving Java. Patches or updates were available on the day the bulletin was published in only three of the five cases. During 2011, 78 percent of malware attacks targeted vulnerable third-party applications, including Java as well as Adobe's Flash and Acrobat.
Leaving old, vulnerable versions of any Internet-connected software installed on a computer is a recipe for disaster.
"In many cases, Java's built-in upgrading capability fails outright, leaving normal users stranded," says Darien Kindlund, senior staff scientist at anti-malware company FireEye.
"Ever since the mainstream adoption of 64-bit Windows 7, Java (and other add-ons, like Flash) suffer from 32-bit/64-bit 'fractionalization,'" Kindlund explains. "Just because you install a patched, 64-bit version of Java, does not mean you're fully protected, if a vulnerable, 32-bit version of Java is still installed on the system (or vice-versa)."
AlienVault's Karg notes that Java is rightly no longer part of most operating systems. "Java shouldn't come pre-installed with common OSes," Karg says "It doesn't come with Linux by default, and the latest Windows version doesn't bundle it either."
By now, a few weeks after the Flashback malware outbreak struck OSX, it's well understood that Apple releases its own Java updates, and this sometimes means Mac users don't get access to the latest version for weeks or months after their Windows-using counterparts.
This all leaves open the question of whether end-users -- meaning you -- should even leave Java on your computer and perhaps uninstall it entirely instead of updating.
"If you use your home PC for Facebook and YouTube, you're still of interest to miscreants, but nothing like the level of interest if you're managing payroll or finances for a business," Santorelli says.
Sign up for CIO Asia eNewsletters.