There's no denying the popularity of Java, as evidenced by its ubiquity on home and work systems worldwide. But it's easy for computers -- both in homes and at organizations -- to have multiple versions of Java installed, thus exposing those systems to security exploits. IT admins need to do a better job of closing those holes. One critical step, which I've recommended for years, is for admins and users to update to the most recent version of Java (applications permitting) and to remove all other existing versions.
Java's security shortcomings are well documented. It, along with Adobe products, made up all top 10 successful exploit spots last year, according to Kaspersky. What's more, Microsoft's Security Intelligence Report 11 noted that Java was "responsible for between one-third and one-half of all [recent] exploits." Over the past six months, I've found Java to be the most common exploit vector in all the cases I've personally investigated. Even Oracle recommends that customers remove old versions of Java and use only the latest patched versions.
[ InfoWorld's Paul Krill reveals why Android has helped Java remain so popular, as well as what Java 7 has in store for developers. | For more news and insights on using Java, subscribe to InfoWorld's JavaWorld Enterprise Java newsletter and visit our sister site JavaWorld.com. ]
Three factors contribute to Java's unenviable "use with caution" status: First, Java is cross-platform. Almost every computer, regardless of OS, runs it. That makes it a juicy target for hackers. Second, many computers contain multiple versions, usually unbeknownst to the user. Third, at least one of those versions is unpatched. Java links can contain software that easily check for which versions a client browser is running; within a few seconds, a malicious program can hone in on an old, unpatched version.
Removing all old versions of Java and running only the latest, patched versions is easier said than done. For one, new Java installs don't necessarily uninstall the older versions automatically. That's because some Java applications require specific versions in order to run. I've had clients with 5 to 10 different versions of Java installed, and they were scared to remove a single version for fear of breaking something.