Java has become the most popular attack vector for the bad guys, surpassing Adobe and Windows itself. Kurt Baumgartner, a senior security researcher with Kaspersky Lab, notes that it is always the first vulnerability probed by the exploit kits such a Blackhole. He sees two main reasons for this. Firstly the Java patch cycle is slow, relying primarily on a quarterly update schedule; and secondly, “the facilities on the user’s computer for patching Java are not as good as some of the other application patch mechanisms such as Google Chrome.”
In short, he says, “there are more [Java] victims that are more available for a longer period of time.”
David Harley, a senior research fellow with ESET agrees. “Oracle is fond of telling us that 3 billion devices run Java, and patches don’t become available for all of them in a timely fashion,” he told Infosecurity. Luis Corrons, technical director at Panda Labs, adds that even frequent patching will not catch the 0-day vulnerabilities (nor the 1-day vulnerabilities: see Blackhole: the 1-day exploit kit). Given Java’s slow patch cycle, 0-day exploits last longer on Java.
So many experts sympathize with Cluley’s Sophos advice. “New vulnerabilities are being found all the time,” he told Infosecurity. “Why keep Java updated if you don't actually use it, and could simply remove it from your computer. It's the same as with Flash or Adobe PDF reader. You're increasing your exposure by running programs, especially if you don't actually need them.”
But while the advice may be good, not all experts believe it is realistic for the average user. “I’ve seen the advice, just get rid of it if you don’t need it,” says Baumgartner. “But that’s next to impossible. Java is ubiquitous. Lots of applications use Java. It’s not a very useful statement to say just don’t use it.”
Harley agrees. “Certainly it’s something I prefer in principle to switching on when I need it, rather than running by default. The problem there is that many end-users won’t really know when it’s appropriate and when it’s less appropriate, so will just say ‘yes, enable it’ whenever they’re asked.”
Put simply, says Corrons, the average user cannot get by without Java. “There are a number of services and software that need Java to run properly, or to run at all.” That’s the problem with Java, he adds: “It is widespread and it is really convenient for everyone: users and cybercriminals.”