Report: 88 percent of Java apps vulnerable to cybercriminals

Yet another data security organization has released an extensive study substantiating the inherent insecurity of Java. Earlier this year, the Burlington, Massachusetts-based data security firm Veracode analyzed 250 billion lines of code in an effort to assess the stability of modern digital tools and discovered that approximately 88 percent of open-source Java applications include at least one significant component vulnerability, according to an internal research report published Oct. 18. The company conducted the same penetration study in 2016 and found that 97 percent of the Java applications they scanned featured backdoors susceptible to hacking, Fortune reported.

Veracode Chief Technology Officer Chris Wysopal discussed the latest report with Info Security Magazine, imploring internal enterprise information technology personnel to carefully track their Java assets and implement patches when necessary, especially those utilizing applications with complicated user interfaces that employ significant numbers of components.

"Development teams aren't going to stop using components – nor should they, but when an exploit becomes available, time is of the essence," Wysopal told the publication. "We've now seen quite a few breaches as a result of vulnerable components and unless companies start taking this threat more seriously, and using tools to monitor component usage, I predict the problem will intensify."

Java is the most popular enterprise coding language, according to the software quality firm TIOBE, which maintains a comprehensive code index. This means a vast majority of organizations are at risk of compromising customer or company data due to the presence of exploitable vulnerabilities in their mission-critical applications.

Understanding the problem
IT professionals are regularly reminded of the instability of Java, as the language is regularly identified as the culprit in large-scale, public data breaches. However, these technical specialists received perhaps their most impactful reminder yet in September, when hackers leveraged a long-standing vulnerability in the Java-based, web application development framework Apache Struts to extract the birth dates, home addresses, names and social security numbers of 143 million Americans from the servers at the credit reporting giant Equifax, according to ZDNet. Security specialists had actually discovered this weakness earlier in the year, when cybercriminals used it to invade numerous open-source programs. The Equifax IT team apparently neglected to patch the vulnerability and, as a result, facilitated one of the largest data breaches ever recorded, CNN reported.

"An estimated 88 percent of Java applications include serious vulnerabilities."

On Oct. 17, exactly one month after the Equifax hack, reporters at Reuters discovered that Microsoft suffered a significant breach in 2013 that went unreported. Highly-skilled hackers from an international collective called Morpho, which specializes in intellectual property theft, were apparently able to break into the internal servers where the Redmond, Washington, company tracks software bugs. How? The cybercriminals took advantage of a vulnerability hidden deep within an internal Java application. This intrusion not only damaged Microsoft's systems but also put customers at risk, as the bugs discovered in the database could easily be used to enter software products employed by billions. For example, an estimated 1.4 billion people in 140 countries use Microsoft Office, according to the software firm.

"Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," former Chief of Staff to former Secretary of Defense Ashton B. Carter Eric Rosenbach told Reuters.

Finding a solution
In the process of evaluating the applications included in the Veracode report, Wysopal and his team managed to mend more than 10.9 million flaws, many of which resided in Java applications. However, the team at Veracode found a total of 12.8 million flaws, meaning a large number of vulnerabilities remain unfixed. It is, of course, up to internal IT departments to address these backdoors and keep precious digital assets safe. Oracle recently released a list of more than 250 Java vulnerabilities with accompanying patches, Dark Reading reported. Technical specialists must obtain these patches and implement them as soon as possible to avoid an Equifax-like scenario from unfolding.

That said, if your organization is using a Java-based terminal emulator like IBM's Host-on-Demand or the Java based Host Access Transformation Services (HATS), there is another option that requires less work and results in fundamentally more resilient web-based infrastructure: getting rid of certain Java applications altogether. Organizations can avoid the immense risks that come along with Java at the client by launching internal IT modernization efforts and swapping Host-On-Demand and/or HATS for a more effective, up-to-date and secure alternative like Inventu's Flynet Viewer. Firms interested in embarking on such efforts should connect with the Inventu Corporation.IT modernization efforts and swapping the language for a more effective, up-to-date and secure alternative like JavaScript. Firms interested in embarking on such efforts should connect with the Inventu Corporation. 

Here at Inventu, we offer the Flynet Viewer, which supports pure web terminal emulation and allows in-house developers to produce reliable software using Windows servers and clean JavaScript. This innovative solution eases the IT modernization process and meets employer and staff expectations in a way that feels both familiar and simple. Contact us today or review our extensive product catalog to see how Inventu can facilitate the development of secure, Java-free backend infrastructure.