Everybody needs friends. People you can depend on when times are rough. A buddy who will always come through and be there for you. For hackers, its Java and Adobe Acrobat. These two loyal friends are always right there when you need them. Ready with a big collection of vulnerabilities that are easy to exploit.
It is not hard to locate these vulnerabilities. There are thousands of them. A quick search of the Common Vulnerability Database (CVE) yielded 1738 vulnerabilities for Java and 262 for Adobe Acrobat. There are also thousands of vulnerabilities in the various PDF engines.
Some of the most sinister malware on the market exploits Java. A Google search for “Java” and “malware” yields a staggering 19M hits. And the most recent story is regarding new Java zero-day attacks. At this point, I think we are beyond calling these zero-day attacks. Java *is* a zero-day attack.
Oracle, of course, acts like this is all business as usual. In between inventing new and fascinating ways to charge their customers for licenses, Oracle occasionally updates Java and the associated nagware included with it. And sometimes those updates actually fix vulnerabilities. Oracle has a checkered history with security. Their database platforms have long been a source of innumerable vulnerabilities. Java is no exception. For all of Oracle’s size and bombast, it does not seem to take information security terribly seriously.
Oracle embodies a business mentality that casts aside the complexities of security in favor of flexibility and feature set. This has attracted a lot developers to the Java platform, hence Oracle’s claim that more than 9 million devices run Java. The promise of cross-platform support (which never seems to really work) and the ubiquity of the Java run-time makes Java attractive to developers.
But the real reason, I suspect, that developers gravitate to Java is that you can do a lot without working hard. Java has a broad API that can do a lot of different things. It also is simple to use. Its simplicity lets mediocre programmers accomplish great things.
And here is why Java is such a security nightmare. It is a casserole that smells good, looks yummy, and tastes great, but gives you gut-cramping runs about an hour later. (Yes, I know, the Java Mafia will probably put a hit out on me for saying such sacrilege.) You mix one part ubiquity, with two parts mediocre programming, throw in lax patching and you have the perfect exploitation framework. Some of the most sophisticated malware in the wild makes extensive use of Java to not only gain access and elevate privilege, but also carry out some functions of the malware.
Another perennial abuser of the “we’ll fix that someday” approach to vulnerabilities is Adobe. Acrobat and Flash have had numerous vulnerabilities over the years that Adobe was slow to patch. Adobe’s weaknesses were almost more serious, since Acrobat and Flash are more ubiquitous than Java. However, both products are also more self-contained. They do not, like Java does, reach deep into the operating system. And therefore, the threat from an Acrobat or Flash attack are different. Despite this, Acrobat has been at the center of some serious breaches. RSA’s highly public breach of their token seed information came from a Flash vulnerability.
Adobe, however, has a little more at stake here. Unlike Java, which has a massive army of loyal programmers who will throw a tantrum if you criticize their beloved Java, Adobe is an end user product. It needs customers to keep buying Acrobat and developers to buy Flash. Also, Flash is under siege from HTML5 which is replacing Flash just about everywhere, since Flash does not run on Apple devices. Which speaking of Apple devices, one of the more impressive things Apple did when there was pressure for them to put Flash on the iPad was to stand tall and say “no.” Steve Jobs specifically called out Flash for its weak security. It was a brave call, which was ultimately the correct call. HTML5 is in many ways a better environment for content and more secure.
Adobe therefore has stepped up their efforts to patch their products. This has resulted in a more aggressive patching cycle from Adobe as well as overall improvements to their products. Nevertheless, there is probably still plenty of zero-days lurking in the Acrobat and Flash code.
Ultimately, Java and Adobe are the most visible reasons why third-party patching is so important. It is also why the free patch management solutions, like Microsoft WSUS, just do not cut it any longer. Fortunately, this market has matured a lot. There are low cost patch management products, like GFI LanGuard and more robust solutions like Secunia, Kace, or BigFix.
Also, if you do not need Flash or Java in your environment, remove it from workstations and do not let people install it. There is a reason we call Java and Adobe a Hacker’s Best Friends. They make life easier for hackers to take what they want.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com