Security pros advise users to ditch Java

The 'write once, run anywhere' software platform has become a favorite of cyber attackers. Is it time for users to kill their Java?

Security firms are being none too gentle with Oracle's Java following the revelation this week that attackers are using two unpatched Java vulnerabilities to compromise selected targets. The most common advice: Uninstall the Java plug-in in your browser and don't use services that require the software.

On Monday, security firm FireEye revealed that a customer had been attacked with a previously unknown vulnerability. Yet Oracle already knew about the security issue and apparently had an update at the ready to be released on its regularly scheduled patch day in October. With reliable exploits for the vulnerabilities rapidly being adopted by security researchers and cyber criminals alike, the company rushed out a fix for the flaw on Thursday.

Overall, the incident has left a bitter taste in the collective mouths of many security professionals.

"I think there is a lot of sentiment toward not using Java at all if you can avoid it," says Stephen Cobb, security evangelist for antimalware firm ESET. "That is what I would say, and I'm not the first to say that, and I'm not alone in saying that."

Security firm Sophos is among the many to recommend that users turn off the Java plug-in within the browser. And the U.S. Computer Emergency Readiness Team (CERT), the response agency for the U.S. government, offered advice for system administrators that boiled down to "remove Java plug-ins." In April, InfoWorld covered the backlash against Java in the wake of the infection of more than 600,000 Mac computers by the Flashback Trojan and pointed out why removing Java infrastructure is not an option for many enterprises.

While Oracle is not to blame for malicious actors using Java, the company needs to clarify its commitment to securing the platform, argues ESET's Cobb.

An analysis of the flaws found that Oracle introduced the issues into Java 7 a year ago and warned that while it was found recently, cyber criminals and intellectual-property thieves had likely been using the attack for months.

"Somewhere not far way -- probably a 10-hour flight from some of the major airports in Norte Americana -- [someone] was enjoying [the attack] non-stop for quite some time now," Esteban Guillardoy, of offensive-security firm Immunity, wrote in his analysis.

Many security companies have talked about the industrialization of cyber crime over the past year, and the incident with Java highlights that trend. With the online criminal economy focusing on turning compromised computers into a profit, reliable attacks -- such as the Java exploit -- are adopted quite quickly. When the attack code became public earlier this week, it took less than a day for the developers behind Metasploit -- an attack toolkit used by security researchers to test their own systems -- to add the attack to its arsenal.

Less legitimate toolkits were not far behind, with the popular Blackhole exploit kit adding a rougher version of the attack to allow spammers and fraudsters to compromise vulnerable systems.

"The division of labor and specialization in malware production has enabled crimeware creators and distributors to react very quickly to these vulnerabilities," says ESET's Cobb. "I think at this point it is safe to say that [the criminals are] going to be focused on Java until Java is all sealed up or not used anymore. It is particularly open to attacks."

While Oracle released a patch on Thursday, the incident is still not over. Many companies delay patching until they can test the update for compatibility with their particular environment. In its Laws of Vulnerability 2.0 report -- admittedly a bit dated now -- cloud security firm Qualys found that 40 percent of the Top 20 flaws lasted more than a year in corporate environments.

Among the software affected by those long-lasting flaws: Java.

This story, "Security pros advise users to ditch Java," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.