Byron Acohido, USA TODAY
Java has emerged as arguably the No. 1 Web threat - and you'd be wise to disable it.
Java is everywhere. It's the programming language used in billions of Web browsers, smartphones, smart payment cards -- even in TVs and cars.
You almost certainly use multiple Java-enabled devices every day without realizing it. Because Java is so embedded in all forms of computing, it has emerged as a ripe attack surface for cybercriminals.
"Java is a type of cross-platform software used on PCs, Macs, tablets, smartphones and even Linux systems," says Marcus Chung, chief operating officer at Malwarebytes. "As a result, Java-based threats are pervasive and can reach nearly all platforms and devices."
Countless business applications use Java to run critical processes, and every major system from Oracle, IBM, SAP and others uses some form of Java, says Jeff Hudson, CEO of encryption services vendor Venafi. "This affords criminals a huge surface area of attack," Hudson observes.
No surprise, that cybercriminals have been intensively probing Java for security flaws. One way they take advantage is to use Java to force malicious software onto your computing device in what's called a "drive-by download," says Corey Nachreiner, strategy director at WatchGuard.
Drive-by downloads unfold silently and invisibly. You click on a Web link or visit a website booby-trapped to steer you to an infection. The bad guys then steal your account log-ons, contacts and personal information. But they don't stop there. "Once they control your computer, they can access pathways to information and other devices on any network you may be part of, " Nachreiner says.
Java-based attacks have been implicated in data breaches at big media companies such as The New York Times and Wall Street Journal, tech giants such as Google, Twitter and Yahoo, and many big banks.
The Department of Homeland Security earlier this year advised Americans to disable Java, endorsing a consensus in the security community that Java's risks now overshadow its benefits for most consumers and many businesses.
Java originated with Sun Microsystems, which has merged with Oracle. Oracle says on its website that it's working to patch security flaws in Java.
Newer versions of Windows PCs and Apple Macintosh computers no longer come with Java pre-installed or enabled. But many popular games and cutting-edge Web services can only operate with Java, so consumers are routinely guided into installing Java on new computing devices. But you may want to avoid installing Java or at least disable it in your Web browser.
Java came pre-installed and enabled in earlier versions of PCs and Mac operating systems. If you're using Windows XP or any earlier version, or Mac Os 10.6.x and earlier versions, you need to take steps to disable it. Keep in mind, Apple has released some updates which may have automatically disabled it for you. Helpful guidance is available at Disable-Java.com.
Dealing with Java's risks in a corporate setting is a bit more complicated. Companies use Java widely as a computing platform to enable virtual private networks and cloud-based tools. To make these apps available in browsers, Java must access both the device and the Web.
"This dual access makes Java very attractive to attackers," says Rob Rachwald, senior director of market research at security firm FireEye. "Attackers can reliably exploit a Java vulnerability that, conveniently, works across all different operating systems and browsers."
Those defending company networks face a huge challenge locking down Java across multiple operating systems and browsers without disrupting daily work flows.
The problem is magnified because banking, e-commerce websites, electronic medical records systems and specialized Web applications depend on Java to function.
"Sometimes, just disabling Java is not a reasonable answer," says Malwarebytes' Chung.
Then there is the added complication that many business apps may only run on a specific version of Java. "If a vulnerability is found in that version, patching it could break the application's functionality, causing businesses to take even further risks," Chung says. "Today's companies are under cyberattacks on an almost daily basis, exposing businesses to additional risks."
What's worse, experts say the war is only in the opening stages, and the campaign to gain some sort of equilibrium against hackers probably will take years.
Windows became the primary hacking target in the 2000s because Windows PCs made up 90% of the personal computing market, and it took a decade for Microsoft to get on equal footing. Java has become the top target in the current decade because of its ubiquitous use in services delivered via the much richer and much more complex Internet cloud.
"Hackers always focus on the biggest threat landscape," says Barry Shteiman, senior strategist at database security firm Imperva. "Developers are using Java to create technologies that cross between the computer and the phone in our evolving, mobility-based world. So it absolutely makes sense for hackers to shift to what's become the new largest platform."
As highly motivated cybergangs pour resources into flushing out fresh Java vulnerabilities, it has become a frenzied, high-stakes cat-and-mouse game for companies to keep up.
Conrad Constantine, a research engineer at AlienVault, says new Java security holes are being discovered at a rate that is "outpacing the usual test-and-release cycle for deploying a new version of Java" in ways that "will not break existing applications."