Java security woes to stay with businesses for a long time

Zero-day vulnerabilities, delays in receiving patches and continuous cyberattacks are enough to make any large company want to toss the buggy Java plug-in from browsers. But that seemingly simple solution is not possible for the majority of businesses, which still use the platform for running Web-based Java applications, experts say.

Businesses were reminded of Java's problems on Monday, when Oracle released an emergency patch to fix two flaws in Java 7 and Java 6, including one hole that security experts warned last week was already being exploited by cybercriminals. Oracle acknowledged knowing about the more serious flaw since Feb. 1, but was unable to get a patch out sooner.

On the same day, a Polish security firm notified Oracle of five more vulnerabilities in the latest version of Java. Those flaws would be difficult to exploit, since they would have to be linked together to bypass Java's anti-exploit sandbox technology.

Nevertheless, Java has become a key target for criminals and a major headache for corporations. The fact that the technology is cross-platform has made matters worse, because malware can be written to infect Windows, Mac or Linux desktops and notebooks.

"Java has certainly moved to the forefront for many enterprises as far as patching and vulnerabilities are concerned," Wolfgang Kandek, chief technology officer for Qualys, said on Tuesday.

The reason businesses cannot remove the distressing Java from browsers is because many organizations run Web-based internal business applications that require the technology.

Zur Startseite