Everybody needs friends. People you can depend on when times are rough. A buddy who will always come through and be there for you. For hackers, its Java and Adobe Acrobat. These two loyal friends are always right there when you need them. Ready with a big collection of vulnerabilities that are easy to exploit.
It is not hard to locate these vulnerabilities. There are thousands of them. A quick search of the Common Vulnerability Database (CVE) yielded 1738 vulnerabilities for Java and 262 for Adobe Acrobat. There are also thousands of vulnerabilities in the various PDF engines.
Some of the most sinister malware on the market exploits Java. A Google search for “Java” and “malware” yields a staggering 19M hits. And the most recent story is regarding new Java zero-day attacks. At this point, I think we are beyond calling these zero-day attacks. Java *is* a zero-day attack.
Oracle, of course, acts like this is all business as usual. In between inventing new and fascinating ways to charge their customers for licenses, Oracle occasionally updates Java and the associated nagware included with it. And sometimes those updates actually fix vulnerabilities. Oracle has a checkered history with security. Their database platforms have long been a source of innumerable vulnerabilities. Java is no exception. For all of Oracle’s size and bombast, it does not seem to take information security terribly seriously.
Oracle embodies a business mentality that casts aside the complexities of security in favor of flexibility and feature set. This has attracted a lot developers to the Java platform, hence Oracle’s claim that more than 9 million devices run Java. The promise of cross-platform support (which never seems to really work) and the ubiquity of the Java run-time makes Java attractive to developers.
But the real reason, I suspect, that developers gravitate to Java is that you can do a lot without working hard. Java has a broad API that can do a lot of different things. It also is simple to use. Its simplicity lets mediocre programmers accomplish great things.
And here is why Java is such a security nightmare. It is a casserole that smells good, looks yummy, and tastes great, but gives you gut-cramping runs about an hour later. (Yes, I know, the Java Mafia will probably put a hit out on me for saying such sacrilege.) You mix one part ubiquity, with two parts mediocre programming, throw in lax patching and you have the perfect exploitation framework. Some of the most sophisticated malware in the wild makes extensive use of Java to not only gain access and elevate privilege, but also carry out some functions of the malware.