Page 1 of 2
The Java browser plug-in has been getting a black eye in recent months from security experts who recommend that it be disabled due to a wide range of security exploits inadvertently enabled by the plug-in. As the volume of attacks continues to grow, a number of people have begun to suggest that, if the plug-in was not specifically necessary, most machines would be better off without it.
Recent Java exploits include a vulnerability in Java JRE 7 Update 9 that enables remote code execution and is currently being sold on the black market for an undisclosed price.
"Java is a major threat vector today," said Paul Henry, security and forensics expert at Lumension. "But we also have to understand why they are such a major threat vector. People have historically done a poor job of patching Java, which is understandable to some extent because when you patch Java, it might affect your application. The bad guys understand this, and therefore they are looking for exploits. If you go back a year ago, they were focusing on Adobe Flash. But, Adobe started patching more frequently and so the attention has turned to Java. We have recommended in the past that you should disable it when you're waiting for patches. But once you get those patches, you can re-enable it."
Despite a relatively lengthy patch cycle, Henry says that Oracle does a relatively good job of pushing-out unscheduled, out-of-band patches when vulnerabilities become publicized and used in the wild. But in many cases, other vendors that use Java within their own products are less diligent in plugging the holes.
"Apple is a perfect example," said Henry. "We had an issue a few months back with three known vulnerabilities for which Oracle pushed out patches. But, Apple only included one of those patches in their updates, leaving people exposed for quite some time."
Henry pointed to Microsoft as an example of a company that has made great improvements in addressing security issues, and he recommended that Apple examine the Microsoft model more closely. "Apple needs to investigate what's been done by Microsoft, but Apple will never want to do anything like Microsoft," he said.
Developing security patches for software is a significant challenge, according to Marcus Carey, security researcher at Rapid7.
"I think it highlights how hard it is to keep software secure, especially when you have to support so many platforms and so many browsers," said Carey. "It doesn't mean that Oracle is doing a horrible job in supporting security for the Java plug-ins. It's just hard to put up software that is secure."