October 11, 2010

I have long urged readers who have no need for Java to remove the program, because failing to keep this software updated with the latest security patches exposes users to dangerous, ubiquitous attacks. In this blog post, I’ll show readers how attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities.

Take one look at the newest kit on the block — “Blackhole” — and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.

I spoke briefly via instant message with the developer of this Blackhole kit (pictured at right), and he assured me that these images were taken from a working installation. The screen shot here shows the administration panel for this exploit pack, which lists the number of hits (хиты) and downloads (загрузки). The statistics show that on average this kit finds a working exploit that it can use to install malicious software on a visiting host about 10 percent of the time.

Granted, as exploit pack administration pages go, this one is very young (13,289 hits at the time this screen shot was taken), but already some patterns emerge from the data. For example, we can see that Java vulnerabilities are by far the most useful, comprising more than 90 percent of all successful exploits.

This pattern is not confined to Blackhole. Have a look at the following three screen shots, taken from the exploit results pages of three different working installations of SEO Sploit Pack, another common exploit kit. All three screen shots clearly show Java vulnerabilities are the most productive, accounting for between 50 and 65 percent of malware installs or “loads” (thanks to Malwaredomainlist.com for help on this).

For those who have not been following along, I also found Java flaws to be the leading exploit vectors for both the Crimepack and Eleonore exploit packs.

I believe that there are two reasons for this pattern: First, Java’s maker, Sun — now part of Oracle Corp. — for too long considered itself an enterprise software company, and chose to ignore that its software also is installed on something like 85 percent of the desktop computers on the planet (and 75 percent of Krebsonsecurity.com readers, according to Google Analytics). Also, it seems that many consumers simply aren’t aware that they have this software installed, or that it needs fairly frequent updating.

Adobe has taken some lumps over the past year for the number of critical vulnerabilities that hackers have found and exploited in its software. But for some reason, Java seems to get a pass from the tech and security press, even though Java flaws consistently are found to be the most useful for attackers who wield these automated exploit kits.

If you don’t use Java, consider removing it. You can always reinstall it later if you find you need it. If you do use Java, then please keep it up to date. Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version. The program can also be set to check for updates every day or every week, although I have found Java’s updater often fails to detect when a new version is available. Alternatively, programs like FileHippo’s Update Checker and Secunia’s Personal Software Inspector can help users stay up to date on the latest security patches.

Update, Oct. 12, 6:19 p.m. ET: Oracle just released an update — Java 6 Update 22 — that fixes 29 security flaws in the most recent version of Java.

69 thoughts on “Java: A Gift to Exploit Pack Makers

  1. Wladimir Palant

    As usually, the statistics show some rather strange details: are Chrome users twice as careless as Firefox users? And did MSIE users suddenly mutate into the world’s technical elite who almost always keep their browser up-to-date?

    But as the main point goes: yes, it couldn’t be clearer. Adobe took quite a beating (well-deserved) and they are slowly starting to do things right. So the focus will be increasingly shifting towards Java which still has the worst possible update story.

    1. drzaiusapelord

      >And did MSIE users suddenly mutate into the world’s technical elite who almost always keep their browser up-to-date?

      Considering Windows ships with autoupdate on by default, then yes, most end users are simply using the newest version once MS pushes it out.

      I also dont see why Chrome would be more secure. Afterall it runs flash and other plugins. Most exploits are not browser based – they are plugin based.

      1. Wladimir Palant

        You seem to bring up very strange points, are you certain you are replying to my comment and not something else?

        a) Windows Update is significantly better than Java Update – but that’s all I can say about it. It is definitely not perfect and it is well-known that many users skip installing Windows updates for various reasons.

        b) MSIE users might be running the latest Internet Explorer version – but they also need to keep Java up to date or they will be still vulnerable. The data above suggests that MSIE users are extremely successful at keeping Java up to date. Given that MSIE is known to be the browser of choice for technically less experienced users this makes no sense at all.

        c) Chrome isn’t more secure. However, the data above suggests that Chrome is significantly *less* secure. Given that plugin vulnerabilities are independent of the browser used, there is no good explanation for that. It could be that many Chrome users bought into the “it’s secure out of the box because of process separation” non-sense and don’t install updates any more but I doubt that this can explain twice as many infections for Chrome than for Firefox.

    2. george

      There are few things I don’t understand myself also. Why the Blackhole developer decided to put Mozilla and Firefox in 2 separate categories when showing browser exploit statistics ? Isn’t Mozilla just FireFox+Thunderbird ? It would be interesting to see the exploit success rate broken by country after a longer run, now it seems Japan and Indonesia run the most vulnerable configuration, but with only 9 hosts and 3 exploits, this is clearly not statistically significant to draw a conclusion.
      We might need to take this screenshot with a grain of salt, yes he claimed to Brian it comes directly from a live installation, but this is after all a criminal and, I suspect, when granted the instant messaging interview, he might have been motivated by the need to brag about his creation and to “raise market awareness” about his “product” since I suspect not only honest people are reading this blog.

      1. AlphaCentauri

        “Mozilla” (now called Seamonkey) is basically Firefox+Thunderbird, but they are different, and you can’t install Firefox plugins in Seamonkey.

    3. Brian Krebs

      Wow. I couldn’t have timed this column better. Looks like Oracle is getting ready to pile on patch Tuesday with a new version of Java today that fixes at least 29 critical security holes. Stay tuned for an update!

  2. JBV

    Never mind Java, it’s disconcerting to know that both Brian and Google are watching your every mouse click:

    According to Brian: “[Java] is installed on something like 85 percent of the desktop computers on the planet (and 75 percent of Krebsonsecurity.com readers, according to Google Analytics).”

    According to Google: “Google Analytics is the enterprise-class web analytics solution that gives you rich insights into your website traffic and marketing effectiveness. Powerful, flexible and easy-to-use features now let you see and analyze your traffic data in an entirely new way.”


    1. Brian Krebs

      It’s always interesting to see what is news to people. To say I’m watching everyone’s every mouse click is a laugh. I check my hits stats daily, but the rest of it I only glance at every now and then, and then usually only to see if the major site metrics have changed much.

      Most Web sites that run any kind of ads can tell a great deal about their visitors, including the percentage that browse with Flash, Java, etc., and in some cases which version of these programs. Google Analytics, for instance, tells me how many visitors have Flash installed, as well as a breakdown by version. GA doesn’t break it down by Java version, unfortunately.

    2. CloudLiam

      There are actually 4 trackers on this site. I don’t question Brian’s motives for using them; I’ve been following him long enough to know he’s on our side and I trust him beyond any doubt. That said, as an unrepentant advocate of online privacy I choose to block them universally. Ghostery and Noscript will perform that function quite well.

  3. bah

    @jbv, don’t be alarmed. Your local browser quite helpfully provides all these juicy details when making web requests. They always have.

    That is where Krebs is getting his Java usage data from.

  4. KFritz

    Greetings BK;

    I have an HP tower, Windoze 7 Biz w/ HP proprietary bells and whistles. (A friend advised that biz computers had better hardware than personals.) My “Uninstall” page only has provisions to remove the latest Java updates, not the program itself.

    I’ve found Java folders in the Programs and Programs (x86) in the big Computer/Programs folder. Is it safe to ‘Delete’ the Java folders?

    Parenthetically, what categories of users actually NEED Java in their machines?

    1. Carey Evans

      > What categories of users actually NEED Java in their machines?

      In my personal experience, those writing Enterprise Software or playing Minecraft. Neither of those needs the browser plugin enabled.

      1. Brian Krebs

        That’s correct. Games like Minecraft require Java but don’t require you to have the Java plugin enabled in the browser.

      2. drzaiusapelord

        I find Java has made a huge comeback in the business world because of all the GotoMeeting-esque software out there. A lot of people can’t or refuse to install the native client and simply run the Java client. I’m also seeing a lot of Citrix users doing the same.

        Yes, they could be using the native version, but why bother when their Java install is sitting there already and the Java client only requires a one or two clicks as opposed to four or five and restarting the browser the native client requires? Nor do you need admin rights to run the Java client.

        That said, I’d love to see Firefox or IE put up a warning for people with the webstart vulnerable version of Java when they start their browser, like how Firefox does with Flash.

        Its bizarre to me that Firefox will warn me about Flash and out of date add-ons, but is mum on out of date Adobe Reader and Java plugins, which are far, far more dangerous. Its time the browser makers upped their game here. The status quo is not working.

        1. xAdmin

          Where I work (large enterprise), they use Java extensively on both the server and workstation side. All the in house system developers code the high majority of apps with Java. It’s a major pain point on both servers and workstations as servers will periodically crash due to Java heap dumps (out of memory) or workstation issues due to required multi-versions of Java for various apps. All this is not even considering the security issues involved with Java.

          I guess it’s job security for server engineers and workstation techs, not to mention the help desk! Needless to say though, many of us in IT loathe Java! 🙁

      3. CloudLiam

        I had to install Java on an elderly Aunt’s computer so she could order checks from her bank online.

        I was shocked to say the least.

        1. xAdmin

          Ouch! Why not bail on the Java install and just call the bank to order checks? I know you can uninstall Java after the fact, but why gum up a system installing/uninstalling software unnecessarily? I’d also seriously be looking for another bank. That requirement is just unacceptable. 🙁

      1. xAdmin

        IMHO, Intellicast (http://www.intellicast.com) has the best maps and they only require Flash Player, no Java required. 🙂

        I guess the point is that there are always options out there if you wish to look for them. 🙂

        For me, there is NOTHING worth the risk of having Java or Adobe Reader installed on a system. They both raise the attack surface too much!

    2. KFritz

      Thanks all!! I’ll leave it alone. Disabled the Firefox Java plugin & will use the PSI tool.

  5. Spiff

    I use Java often enough that I don’t want to uninstall it. But when I’m not needing it, I uncheck the box in Firefox that says “Enable JavaScript.” Can anyone advise me how vulnerable to Java exploits am I when that box is unchecked? Thanks.

    1. BrianKrebs Post author

      Hi Spiff. Javascript != Java. These are two different things. Javascript is code rendered in the browser, whereas Java is a stand-alone program that includes browser plugins that handle “applets” mini applications that can run in the context of the browser or as a program separate from the browser.

      Javascript can be blocked across the board or selectively, by disabling Javascript in the browser (kind of hard to browse the web this way), or by allowing Javascript on a list of approved sites. Firefox has several add-ons that make this very easy, including Noscript and RequestPolicy.

    2. Spike

      JavaScript and Java are not the same thing.

      You could accomplish the same thing with less trouble by using the NoScript plugin for Firefox.

      But you still aren’t turning off Java.

      In Firefox try Tools -> Add Ons then find Java Quick Starter and click Disable.

      Also, my previous comment was incorrect, but I haven’t looked at the source code for a while. The NWS map now appears to use Flash instead. So much for open standards…

      1. CloudLiam

        Disabling Java Quick Starter does not disable Java. The stated purpose of Quick Starter is to improve the startup time for java apps, but I can’t see any improvement to speak of myself, and certainly none that justify having the process running in the background all the time.

        The best way to disable Quick Starter for all browsers is through the Java control panel under Advanced\Miscellaneous.

    3. george

      Spiff, I’m not a programmer, but to my knowledge JavaScript and Java are 2 completely different things, which only share (part of the) name.

  6. Mr. X


    On any private machines I maintain, I now change the Java update cycle to check daily. Thumbs up as well for PSI 2.0 beta.

  7. Rick Moy

    Yes indeed. Brian is right. Java is a problem. If you don’t use it, lose it.
    And, most endpoint security products do a poor job of protecting Java vulnerabilities. Will detail this in a future post about NSS Labs’ latest test results.

  8. Rick Zeman

    Technocrat, where do you get that “Java X” means that it targets OS X machines? Googling for that turns up….your post, which frankly, isn’t authoritative.

  9. Joff

    Half the problem is that the Java updater program / process is clunky, and obtrusive, especially on the Windows platform.

    If Oracle could fix this, and have a better way of transparently getting updates out to people, then much of this problem could be solved.

  10. David Chisholm

    I use JavaRa, a free program from raproducts.org, to manage Java Runtime Environment (JRE) versions on my PCs. (I am only a satisfied user, I am not affiliated with the developers or their company.)

    JavaRa’s main purposes are to easily update the JRE and to locate and remove old or redundant versions of the JRE.

    But it can also:

    remove the Startup entry for Java Quick Start

    remove Java IE BHO

    remove Java Console Extension

    remove the Sun Download Manager

    and other housekeeping tasks.

  11. Echo

    Certain applications such as OpenOffice.org require Java. Were one to remove Java, what functions would fail in OpenOffice.org?

    1. Sarah

      A page titled “Java and OpenOffice.org” in the OpenOffice wiki provides a detailed list of functionality depending on the Java Runtime Environment. Enter “openoffice java” in Google Foo to find it. The database engine, various wizards in the Writer, and assistive technologies are included.

  12. Andrei

    From the article I understand the issue is with the browser Java plugin, the part of the Java runtime exposed to websites and potential exploits.
    While disabling/uninstalling the Java browser plugin may actually provide good security, I don’t think the same goes for the whole Java Runtime Environment (JRE). This is used by applications written in Java, such as OpenOffice (indeed only selected components as pointed out by Sarah above)or Vuze bit torrent client.

    1. xAdmin

      haha very funny! 🙂

      You can’t really as it’s integrated with the operating system. Also, Java updates for Mac OS X are released by Apple, not Oracle and typically much, much later.

      This type of “integration” is a major pain point. It’s not just Apple either as newer versions of Windows (Vista and 7) include .NET, which recently had a major out of band patch (http://isc.sans.edu/diary.html?storyid=9625). Not to mention other things like Windows Search included in Vista/7, or that Open Office integrates with Java. All these things just raise the attack surface of a system and remove choice for the end user/system administrator. Sure they add functionality, but it chafes me to no end that I don’t have the choice and can’t simply remove what I don’t want. (Oh, also that I can’t revert the new Windows 7 taskbar to “Classic” mode! IE 9 is still in beta, but it too is removing choice in the UI design! Ugh!)

      As such, these types of things prevent me from even considering upgrading or switching. So, guess I’ll just stick with Windows XP where at least I have the choice and control that meets my needs/requirements. 🙂

      1. gordon

        Terrible choice. From a security standpoint, XP is an absolute disaster, as its track record proves.

  13. Mike

    I’m curious – were you speaking to this guy in Russian? Does he know he was talking to The Krebs or did he think he was talking to a partner in crime?

    1. Brian Krebs

      @Mike — I pinged him on ICQ. The developer lists his ICQ# on his ads, which can be found on various hacker forums. I spoke with him both in English and in Russian/translit. I did not volunteer my name (neither did I ask his real name), but inquired only as someone interested in learning more about his kit and how it works.

  14. bob

    Show me how you can rootkit a machine using java. Even if you could that would be an OS exploit. But you cant so shut up. There are far more C based virii infecting the world. This “pack” is a tiny sample of whats really out there and you know it.

    Nice screenshot. Ill say it again. Shut up.

    1. BrianKrebs Post author

      Bob — Keep your comments civil or you’re likely to be banned. At the very least, your comments will be quickly buried by other readers.

      Also, posting under numerous identities is the fastest way to get banned. So please stop.

  15. Bill

    There is a time card keeping system out there that requires a 2 year old version of Java to run on aPC. Every PC used by supervisors and up must have it in place. Not very comforting.

  16. Jonathon


    Thanks for putting the heat on Java/Oracle. Please keep it up!

    Even after I updated Java, I still see older versions of the plug-in enabled in Firefox. Can’t they get their updater/installer to remove these?!

  17. ch

    1) I routinely disable Java and Flash Plugins in my browsers. Flash because it’s annoying 75% of the time (the rest is youtube), Java because I rarely ever saw any website use it. Amongst the websites that did use it, 90% just used it for useless stuff that I didn’t want so see anyway. I always wondered why Java is installed in all these browsers anyway. I started disabling Java way back in the late 90ies, simply because it was extremely slow and had a tendency to crash my browser and/or computer. I started disabling Flash when everybody stated to use it to deploy ads. (I wish I could disable animated GIFs that easily!) Since Flash has found widespread use to deploy videos on the web, I’ve switched to a Flash blocker with a very short whitelist. I’ve been telling my friends and family to disable/block these plugins for years, and most are very happy with that, because it makes their browsers faster, more stable and it makes many websites load faster and be less annoying. Maybe these security problems are our chance to convince browser vendors to ship their browsers with pre-disabled or pre-blocked plugins.

    2.) Java Updates are a problem not just on Windows boxes, but also on MacOS X. The only operating systems that I know of that ships Java updates fast and in a manner that’s not too annoying to the user would be several linux distros — and I usually don’t even install it on Linux because I just don’t need it. OS vendors should just stop shipping their OS with Java pre-installed, since only enterprise users need it and they will have mechanisms to deploy it on their PCs.

    3.) Chrome is a nightmare in terms of security. Just look at the version history in Wikipedia or someplace else — no one can tell me, that Google considered security when they designed it, they’re making releases so damn fast, I’m wondering that the software runs at all. The main problem here seems to be that Google thinks, just because they sandbox everything, it’s more secure. That is so wrong, that I don’t know where to start.

    4.) I also always disable Windows Update and use WSUS Offline Update, because I’m not interested in Updates for Microsofts Digital Restriction Management and Anti-Piracy stuff. I don’t copy their software, so I see no legitimate reason why I should bother to update this junk, it’s obviously not working anyway. Once again: anti-piracy-stuff isn’t hurting the pirates, it’s hurting the legitimate users.

    However, I still think that even Windows Update is a real pain i.t.a., because it is extremely slow. How can it be, that the updates on my linux boxes have been very fast for years and microsoft still can’t figure out how to deploy their updates faster? After they’ve put so much money into securing their system, one would think it wouldn’t be to much to ask to make their updates fast. If they were faster, I wouldn’t mind them so much.

    I’d say that fixing the above complaints would not only make me a happier user, but it would also make computing much more secure. As far as I’m conserned, most vendors still didn’t get it right. Updates should be as un-annoying as possible, because as soon as they prevent users from working or start to bother them, they’ll start to avoid them. And once again: everything that is insecure should be disabled by default and it’s use should be discouraged. Why is this stuff still installed in browsers by default and why is it enabled by default?

    1. xAdmin

      I always run IE in No Add-ons mode whenever I want to minimize or prevent Flash player or any other Add-on from being invoked. In particular, I ALWAYS do this when accessing a sensitive website (ex. online banking) to reduce the attack surface of the browser.

      Also, I prefer using a blocking hosts file (from MVPS), which not only prevents ads from being displayed, but more importantly blocks malicious websites! Better yet, it works at the OS level, not just the browser (application level), so ANY program that attempts to access the Internet gets filtered through the hosts file. I swear it has kept malware from even getting to my systems many, many a time while browsing the far reaches of the Internet.

      Just be sure to keep it updated as new hosts files are typically released every month due to the every changing nature of the web. 🙂

  18. Knut

    I use java to cut television recordings with ProjectX. And there are some other nice tools.
    Using Java in the browser is not needed very much today. We are using flash and javascript today, which can easily render a computer useless for any other task than browsing by eating all available cycles.

    And for the banking software: Some banks used to give you windows only programs, which have not been changed since Windows 95. Have Fun !
    These programs don’t even render correctly on Windows 7. You have to guess where to click.

    And since the programs are not signed, they are likely to be infected, if any computer in the bank had a virus between 1995 and today.

  19. RandyN

    Last time I did a fresh install (~6 months), I didn’t install Java (for the first time in years). During those 6 months, I’ve only come across a handful of times, maybe 5, that something required Java to run.

    Not missing Java at all; in fact, good riddance.

    1. xAdmin

      Ditto for me, although it’s been years! The few times something wanted Java, a little Google foo found an alternative, usually a much better one too! The few times there wasn’t an alternative, I just moved on putting my system security above anything else. Some things just aren’t worth the risk. 🙂

  20. Roy

    I have 2 Java Console extensions and a Java Deployment Toolkit Plugin, and a Java Plugin for Mozilla browsers–all as add-ons in Firefox. I can not remove them but I can disable them (on Windows 7).

    In FireFox, I rely on Addblock, Flashblock and No Script.

    It appears that the Plugin for Mozilla browsers is required for Secunia OSI. I also use PSI, but I find that Psi doesn’t tell me specifically which Microsoft updates are required.
    I guess I may be stuck with having to keep updating Java.

  21. PCRoger

    I only wish we could remove Java.

    Their updater is certainly better than in the past, when it didn’t even remove previous versions – hence your mention to check add/remove programs. (I am amazed at how many versions of Java some PC’s have)

    Webinars, even recording via the web interface in AudioBoo (Audacity and mp3 uploading is an alternative there), but many apps specific to my legal clients require Java.

    Until then, just forever update.

    Good article.

  22. GIGO

    People just need to update. This is a modern realization. The same requirement exists for car owners to check oil and water.

  23. Natasha26

    Umm what I don’t like are those websites with java objects in them (so i guess applets) and like a fool Firefox just runs them without asking me anything (sometimes it does though). Then when I open java console, I see things like “server started” then I frantically go through a series of console commands {s, t, v, x, f, l, g} to try to kill that java program which is doing god knows what. Also, closing the relevant Firefox tab doesn’t stop it for like a good minute.

  24. Do not support Myths

    I still can´t understand that so many people actually supports the well known myth that Firefox is more “safe” than Internet Explorer..

    Please do check:
    1: http://secunia.com/advisories/vendor/18/
    Click on every Mozilla FireFox link and count the number of vulnerabilities on all versions available (from 0.x to 3.6x)
    And you will notice A WHOPPING 834 VULNERABILITIES FOUND IN FIREFOX.. ehh… 6 (?) years!!!!

    2: http://secunia.com/advisories/search/?search=internet+explorer
    Click on every Internet Explorer version link and count the number of vulnerabilities on all versions available (from 5.01 to 8.0)
    And you will notice a total of 618 Vulnerabilities found during the 15 years that Internet Explorer has existed!?!?!!!
    (Yepp! Including the last ones!)

    So the fact is:



    Also read: http://whitepapers.theregister.co.uk/paper/view/1531/sophos-myths-for-safe-web-browsing-wpna.pdf
    And look closer at MYTH 7 (An appropriate tiltle don´t you think!) where Secunia is quoted:
    “When security research firm Secunia tabulated the number of BROWSER EXPLOITS reported in 2008, Firefox was actually the least secure by a large margin”

    And that is due to Firefox excessive amount of vulnerabilities!
    (More vulnerabilities than Internet Explorer in a third of the time!)

    So… Shall we agree in NOT supporting the myth of firefix so called “safety”. This myth has been proven BUSTED!

    More vulnerabilities in a third of the time simply CAN NOT BE SAFER!!!!!!!

    (Please, excuse my english, Im Swedish…)

    1. Wladimir Palant

      The statistics you are linking to tell nothing about how secure a browser is, not to mention comparing apples and oranges.

      1. You are counting the number of *fixed* vulnerabilities. Let’s suppose Microsoft would decide to stop fixing vulnerabilities (which they more or less did in 2001). No vulnerabilities fixed means perfect score – most secure browser?

      Please allow me to link to a more meaningful statistic by an author you might know: http://blog.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html

      2. Vulnerabilities reported by Mozilla and Microsoft are in no way comparable. Mozilla has a strict disclosure policy – all resolved issues that might have a security impact are published, including the ones found by own employees and ones where it isn’t clear whether they are actually exploitable. Microsoft doesn’t have such policy and has been clearly using questionable approaches to “improve” their vulnerability score in the past.

      3. Nobody cares about MSIE vulnerability statistics from 10 years ago – back then far fewer vulnerabilities were reported simply because this matter wasn’t as important yet. The whole thing only really picked up about five years ago.

      The above doesn’t change the fact that these days it matters relatively little what browser you use. All vendors made significant investments into browser security, all have a working auto-update mechanism by now (though some approaches here work better than others). So browsers are no longer the top target, keeping the browser updated (*any* browser) is good enough. You seem to be new to Brian’s website, have a look at the older articles – security is primarily being endangered by browser plugins now.

      1. Do not support Myths

        “1. You are counting the number of *fixed* vulnerabilities. ”

        No! Those numbers are of all reported vulnerabilities, From whom ever discovered the vulnerability!
        And in the each link you can find details about how many vulnerabilities that still are not patched..

        So you are trying to approach the “stick your head in the sand”-approach “Noooo!!!! I do NOT want to hear about any flaws in Firefox”

        I reality every software has flaws, so you need to get used to hear about flaws in your “favorite softwares”..

        And the point (that you choosed to miss) is that a software that in 6 years time gathets more vulnerabilities than the opponent has in 15 years simply can not be considered “safer” in any way..
        That is totaly impossible!

        And in the matter of “browsers not beeing the top target” is not really the issue.. All you need is that one cyberjerk uses one vulnerability on your browser…

        the main issue here was actually the fackt that so many people do beleive in the myth that firefox is safer than Internet Explorer, when that “myth” has been proven Busted…

        Also note tha the linked document makes it clear that if you are NOT logged in with adminrigts 100% of all Internet Explorer vulnerabilities of that time would FAIL…

        That is a record that is hard to beat!

  25. Ray S.

    What seems clear is that Java has a very significant presence , enough that plenty of people will be inconvenienced and annoyed by what breaks when they uninstall it . I don’t think it makes much sense to cite anecdotal testimony from a bunch–even a big bunch–of users who manage to get along without it as justification for recommending its removal.

    Significantly, since 2006 or so, Java has been almost completely under GPL, and the record for open-source communities pouncing on security holes is excellent. The recent history of Java’s support seems surprisingly atypical in that respect, but that can change, and perhaps this latest news might give the needed boot to the butt to do that.

  26. Ray S.

    It’s simplistic to make security comparisons simply by the numbers of vulnerabilities reported and fixed. Mozilla, being open source, has two distinguishing characteristics: one is that problems, and their solutions, are visible to the world in real time, and tend to get both documented and fixed individually, and quickly. It’s full disclosure all the way.

    How Microsoft aggregates and reports the problems it fixes is visible only to itself. To its credit, it is at least fairly up-front in the relevant KB articles, but its bugfixes are still less granular than Mozilla’s, and that can inflate the ratio of numbers of vulnerabilties in Windows/IE to Mozilla.

    1. Ray S.

      Er… Got that ratio backwards, but I’ll bet you know that already… 😉

  27. Jeff

    I know this is going off track, but maybe people can briefly explain a couple of things, or at least point me somewhere better to ask.

    I was planning to start teaching myself java because there’s a particular app I’d like to create for a website I’m doing some (non-professional) work on. I then read the article in Windows Secrets that says java’s a big security risk & implying that it’s rarely used these days, & pointed me here.

    I want to create a calendar/diary app to embed in the site showing bookings that’ll be read only for everyone but me. The reason I thought of java is because of its portability but, as I don’t know any programming (but want to learn some anyway), what should I use if not java?

    Alternatively, does anyone know of a free calendar/diary app I could get?

    Thanks all

    1. Roy

      Not sure why you need Java for that but don’t believe this Microsoft BS! They are in the same boat as Java and trying to get their Silverlight or whatever new cross-platform C# ASP .Net garbage off the ground. If you go in that direction, then why not go with Flash?

      I see the calendar problem as lots of Php server-side code. Php or Perl or Python, take your pick. You might need a little javascript on the client-side but nothing like a full-blown Java application unless, this is your intention.

      But you’re right on one thing… this is off topic 😉

Comments are closed.