Lack of Java security a continual problem for enterprises

Over the past few years, this blog has discussed the security risks of using Java-based applications. While it may seem like little has changed on this front, the continued discovery of new flaws and vulnerabilities within this software persist and contribute to the idea that enterprises should move away from using Java to reduce exposure to risks.

According to an update from Oracle released this month, the company deployed 193 patches to fix security hazards within Java as part of its Critical Patch Update. Among the different products, both released by Oracle and from third party components, 25 of the fixes apply to Oracle Java SE. Of this subgroup, only one applies specifically to Apple users: the majority of the total number of fixes are for Java clients. In a blog post about the update, Oracle said that most of the flaws "are remotely exploitable without authentication."

With this latest round of flaws coming to light, the question persists: why use Java at all? Writing for CSO Online, Tony Bradley explains why the Java platform is so attractive to hackers and represents a continuing liability.

"The incentive to target exploits at Java and Flash is based in part on their success," he said. "Both platforms / applications are somewhat ubiquitous and can be found installed on the vast majority of systems—even across different operating systems. Attackers like to exploit Java and Flash because a successful attack has a much broader pool of potential targets to compromise."

Companies don't have to rely on Java the way they may have had to in the past for important tasks like legacy terminal emulation in current systems. With Flynet Viewer, enterprises use an HTML-based application that fits into browsers on new devices and doesn't have the legacy problems of older solutions.