If the IT industry had a color-coded threat-level advisory system, the alerts would have spiked to red this week -- and in a way they did when the Department of Homeland Security, no less, urged users to disable or uninstall Java because of a serious security vulnerability.
Judging by the ensuing avalanche of ink (mea culpa for adding to the pileup), you might think this attack took the industry by surprise. Far from it -- as Twitter engineer and security expert Charlie Miller told Reuters, "It's not like Java got insecure all of a sudden. It's been insecure for years." Java was responsible for half of all cyber attacks last year in which hackers broke into computers by exploiting software bugs, according to Kaspersky Lab, and diatribes against Java -- many on the pages of InfoWorld -- have been going on for years.
What was it about the latest zero-day that unleashed such a fevered pitch of concern that even NBC's "Today" show took up the cry? Has Java finally reached its tipping point?
As InfoWorld's Galen Gruman writes in "How to kill Java dead, dead, dead," the fact that the feds have gotten into the act speaks to the rising threat of a global cyber war:
In an era where the United States and Israel have launched a quiet cyber war against Iran and others with worms like Stuxnet, and Iran has counterattacked by trying to take down U.S. banks' websites, it won't be long before Java is used like the lax airline security was on 9/11 to make something really bad happen.
Hackers are using holes in Java to sabotage computers that run key business processes at banks, utilities, and government agencies. Unfortunately, as Gruman points out, "If Java went away tomorrow, many banking and e-commerce websites would cease to function, as would many electronic medical records systems and tons of specialty Web apps, from building inspector reporting tools to online voting."
By virtue of its sheer pervasiveness, the operational risk that Java presents is growing into something of a Y2K issue for businesses. InfoWorld's security blogger Roger A. Grimes goes so far as to say that "every company whose security I've audited has a Java problem -- an ongoing one that long predates the current threat. Java provides a convenient attack vector for most of the malware arriving in companies -- and not just the annoying stuff, but advanced persistent threats, money stealers, and more."
Why haven't companies kept up with patching Java? It's not just old-fashioned sloth or incompetence to blame. Grimes says, "It's the number of mission-critical enterprise apps tied to specific Java versions. In case after case, IT security people say they can't patch Java in a more timely manner because doing so breaks too many vital applications." While they're waiting for Oracle to just finally, gosh-darnit fix the thing already, "unpatched Java is wrecking havoc across the enterprise."
Oracle may be an easy scapegoat for users' frustration, but InfoWorld's open source blogger Simon Phipps explains why it could take a very long time to fix Java. Its vulnerability "devolves not to one issue, but to a series of issues, one knocking into the other like dominoes. Oracle has fixed one of the dominoes with a patch, but there are likely to be other ways to tip over the entire row." One more such domino fell just yesterday, when a security firm revealed that many apps using the popular open source Spring Framework are vulnerable to a type of remote-code injection because of a flaw in -- you guessed it -- Spring's soft Java underbelly. Cue shades of the many-headed Hydra from Greek mythology.