Euro Security Watch with Mathew J. Schwartz

Risk Management , Technology

Cybercriminals Mourn Java Plug-In Death Oracle Deep-Sixes Browser Plug-In
Cybercriminals Mourn Java Plug-In Death

Cybercriminals are in mourning after the shocking announcement from technology giant Oracle that it soon plans to deep-six its beloved Java Web browser plug-in (see Oracle's Security Absurdity).

See Also: 2016 Enterprise Security Study - the Results

Oracle announced its decision "to deprecate the Java browser plugin in JDK 9," in a Jan. 27 blog post. "This technology will be removed from the Oracle JDK and JRE in a future Java SE release." The future release in question appears to be version 9 of the Java development kit, which Oracle plans to release on Sept. 22.

"Oracle's Java plug-in move has no doubt sparked fury from cybercrime kingpins." 

Oracle has attempted to portray the decision to kill the Java browser plug-in as being out of its hands. Indeed, it has blamed browser makers' planned or already executed "removal of standards-based plugin support" for robbing browser users of their right to employ not just Java, but also Adobe Flash and Microsoft Silverlight.

In place of the Java plug-in for browsers, Oracle advocates applet-generating technology called Java Web Start - a.k.a. JAWS - which was first introduced by former Java owner Sun in 2001.

Crimeware Community Craves Java

Oracle's Java plug-in move has no doubt sparked fury from cybercrime kingpins, who since 2010 have been lauding the Java plug-in for its wide install base, the easy exploitability of "older" plug-ins - generally referring to any version at least a few weeks old - as well as its ability to enable them to automatically target and exploit large numbers of PCs at once. By adding in Java exploits, they also report being able to command record prices for the exploit toolkits that they lease or sell to the cybercrime community.

Similarly, Oracle's decision to not enable users to easily identify when they were running older, vulnerable versions of the plug-in has given cybercriminals an even bigger "attack surface" to target. Indeed, many users have been inadvertently running two or more vulnerable versions of old Java on any given endpoint.

That's why it's no surprise that leading cybercrime toolkit sellers regularly include exploits for Java, which reportedly work on an average of 10 percent of all PCs. But after the emergence of a new zero-day flaw in Java, the exploit success rate has occasionally spiked to an estimated 80 percent, at least based on studies of the Blackhole exploit kit. That's been music to cybercriminals' ears, thus allowing them to quickly compromise large numbers of PCs and ransack them for sensitive data, or turn them into nodes for launching distributed denial-of-service attacks or spam.

Will cybercriminals now be forced to look elsewhere to make a fast buck?



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network