Future Tense

Java Was Really Insecure For a While. Then It Got Better. Now There’s a New Problem.

Java has a new vulnerability after two years without incident.

Image from Java

In 2012 and again in 2013 my colleague Will Oremus wrote that, “you should probably disable Java on your browser right now.” Welcome to the 2015 edition!

Java is a popular programming language often used on websites to deliver multimedia content. After frequent attacks and cybersecurity problems in versions 6 and 7, owner Oracle released Java 8 to help remedy the situation. It’s been almost two years since Java has had a zero-day vulnerability (an exploit with no patch), but the party is over.

Over the weekend, researchers at the security software company Trend Micro disclosed a Java exploit that the hacker group Pawn Storm (also known as APT28) has been using to target “a NATO country and a US defense organization.” In addition to governments around the world, Pawn Storm has also been known to target media organizations and defense contractors.

Brooks Li and Feike Hacquebord, two Trend Micro researchers, report that the vulnerability is in Java 8 Update 45 from April. Versions 6 and 7 are not affected. “We … recommend users to disable Java in browsers if installed due to an application,” they wrote.

As CIO points out, documents leaked in the recent breach of surveillance-technology maker Hacking Team revealed three vulnerabilities in Flash Player, which often performs similar functions to Java on websites. The Register writes, “No Flash, no Java makes web a dull, but safer, place,” and until there are patches for these exploits, disabling Flash and Java is the safe thing to do.

Christopher Budd of Trend Micro writes, “Disabling both Flash and Java is advisable. Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers.”

Oracle did not immediately respond to a request for comment. I’ll update if it does.

In 2013 Oremus wrote, “Next time everyone is freaking out about a new Java hack, the only decision you’ll face is whether to nod sympathetically or smugly.” So, how did you do?