Oracle estimates that 97% of enterprise desktops run Java, 89% of desktops in the U.S. run Java, and 3 Billion mobile phones run Java. That market share makes Java a juicy target for cyber criminals. Java in the browser is particularly vulnerable to security threats known as ‘exploit kits.’
Exploit Kits Render Java Insecure
According to Joshua Cannell writing on Malwarebytes Labs, “an exploit kit is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it, and discovering and exploiting vulnerabilities to upload and execute malicious code on the client. The exploit kit gathers information on the victim machine, finds vulnerabilities and determines the appropriate exploit, and delivers the exploit, which typically silently drive-by downloads and executes malware.”
Here’s the scary news, “Kits continue to include exploitation of vulnerabilities that were patched years back, as there continues to be a significant population of unpatched machines.” The good news is you can reduce risk by keeping current with latest patches, but the challenge for you and your users is security fixes for Java, Flash and other browser plugin technology is coming at a dizzying rate.
Moving Away from Java in the Browser
A more practical approach to security is to move away from Java in the browser. In fact, Oracle recently announced plans to deprecate the Java browser plugin from JDK 9. Dalibor Topic, principle product manager for Open Java Development Kit, said the following in a January 27, 2016 blog post:
“By late 2015, many browser vendors have either removed or announced timelines for the removal of standards based plugin support, eliminating the ability to embed Flash, Silverlight, Java and other plugin based technologies.
“With modern browser vendors working to restrict and reduce plugin support in their products, developers of applications that rely on the Java browser plugin need to consider alternative options…Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”
Essentially, this means you need to start migrating away from any applications that rely upon Java browser plugins as soon as possible to reduce your organizational risk. This is exactly why we have updated MOVEit File Transfer (DMZ) v8.3 to include a new way to transfer files over the browser.
MOVEit 8.3 Provides Java-Free Security