27

I've taken a graph of the amount of CVE reports concerning the JRE per Year.CVE reports

Now as you can see this spiked in 2012-2013, which could have been guessed easily, if you look at the amount of news items concerning java in the past years. However, I'm having trouble finding an explanation why:

  • Did Java get more popular?
  • Did Java just become more popular for hackers?
  • Is it because of the acquisition by Oracle?
Glenn Vandamme
  • 373
  • 3
  • 9
  • 16
    Also remember that the final datum point is not really applicable. 2014 may end up higher than 2013. Discounting it means the only real anomaly is why it didn't ramp up from 2008 - what kept it down? – Rory Alsop Apr 07 '14 at 14:58
  • Worth noting that there were a number of significant security *fixes* put forth by Oracle in 2013: [February](http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html) -- *Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities* (their own words), [October](https://community.qualys.com/blogs/laws-of-vulnerabilities/2013/10/15/oracle-cpu-october-2013) -- *indicating..vulnerabilities..used to take full control over the attacked machine over the network without requiring authentication* – goldilocks Apr 07 '14 at 15:35
  • 1
    My impression is that more and more ill-advised functionality is crammed into each successive release. – Hot Licks Apr 07 '14 at 21:27
  • 1
    I suspect there may have been some "deferred maintenance" in the last years under Sun. – Warren Dew Apr 08 '14 at 08:19
  • Plot the major JDK release dates and see if they line up. New releases invariably contain new security features. Hence why businesses don't upgrade until it's been 'in the wild' for a period of time. – Philip Whitehouse Apr 08 '14 at 19:10
  • As an additional, the main security group moved on to Java Cloud Service - they were responsible for a ton of the CVE's: http://www.security-explorations.com/en/SE-2012-01-status.html – Philip Whitehouse Apr 08 '14 at 19:15
  • Also note that many of the Java vulnerabilities are with the Java plug-in and are only relevant to running it in a web browser. If you don't need Java in the browser, you can use the Server JRE, which includes some additional monitoring tools but does not include the web browser plug-in. – David Conrad Apr 10 '14 at 16:45

3 Answers3

27

I think this is a "trend effect" which is also the drive under everything about fashion (in the "clothing" sense). Please allow the local Frenchman to talk about fashion.

Fashion is a deeply self-contradictory social behaviour. People who follow fashions seek both:

  • to gain acceptance in a given local group by displaying adherence to perceived agreed upon codes (e.g. the arbitrary choices of cloth shapes and textures and colours);
  • to gain visibility within the same group by displaying a bold (implicitly: bolder than other group members) will to embody the most up-to-date or even future social codes for that group.

In effect, the fashion-victim must be both a leader and a follower. If the context were electronics, we would say that we observe a circuit with positive feedback, which must necessarily exhibit sharp transitions between locally stable configurations. An extra effect is that, in clothing fashion, the only universal effect is fast depreciation: no fashion may ever remain active for more than a few months. In short words, fashion is fast-pace, and when it tilts one way ever so slightly, everybody rushes in that direction. This explains the way fashions come and go with violent abruptness.

Hackers are the geek version of fashion victims. Their interest and efforts are always driven by what seems to be "hot subjects". People who spend their days and nights on keyboards are often very sensitive to social exclusion (since they get little society on average) so they abhor the idea of concentrating on an "has been" technology which would deprive them of the last shreds of peer recognition that they may hope for. Therefore, when a topic seems to promise glory, they all run towards it. "Glory" can here be equated with "slashdottable".

In the specific case of security and Java, the trigger may well have been, indeed, the acquisition of Sun by Oracle. Oracle is a known "bad guy" so there always is some fame in finding security holes in Oracle's products (computer people have always had a soft spot for nihilism). Moreover, the security model of Java (the applet model) looks ripe with potential vulnerabilities: in the Java applet model, the "security perimeter", which is the boundary between the hostile world (the applet code itself) and the protected world (the host system) goes through the standard library API: hundreds of system classes must check and enforce the complex system of permissions. The attack surface is huge. There MUST be holes now and then. Sun's people were quite good at what they did, but making the applet model safe would take divine development powers.

As soon as a few bugs were found and publicized, the idea of unclaimed reputation riches went through the collective hackers' minds like a fire in the savannah, and they all rushed. Such is the power of Bonanza. Once brains are ablaze with the promise of wealth (in this case, Twitter followers or Slashdot scores), there is no stopping them.

It will end soon, though. "Java bugs are soooo 2013 !"

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 2
    Note: "rife with potential vulnerabilities", not "ripe". – David Conrad Apr 07 '14 at 20:21
  • 2
    Why are Java bugs so 2013? Didn't Java-8 just come out? There's bound to be more bugs.. – CantChooseUsernames Apr 07 '14 at 20:33
  • 2
    @DavidConrad Normally "rife" would be more apt, but everyone knows that *applets* can ripen. – Aaron Novstrup Apr 07 '14 at 23:54
  • 1
    @CantChooseUsernames There could very well be some decent bugs in Java 8. A lot of the bugs in Java 7 were related to things that got refactored between 6 and 7, and 8 has some major changes relative to 7. However, Java 8 bugs won't be as "cool" - partly because of fashion, and partly because there's been a big move away from Java applets, motivated by the bugs that appeared in Java 7. – James_pic Apr 08 '14 at 08:18
  • @DavidConrad well, "ripe" in the sense of "ripe for the picking", thus apt in my opinon. Anyway, this answer gets my vote - an insightful viewpoint. Well done! – Alex Apr 08 '14 at 19:58
  • I am deeply impressed; incredibly insightful, I'd bet right on the money, and just darn well written. +1 – BrianH Nov 07 '14 at 17:02
6

Excellent infographic! Unless someone were to actually sit-down and read through the various CVE's and understand them in-and-out, it would be difficult to provide any sort of substantial answer. That said, I'm willing to conjecture wildly here.

  1. Browser creep -- with three main-stream browsers (IE, Firefox, and Chrome) the plugins have to be developed for a broader set of overall environments. Different browsers are going to have different hooks back to the actual browser environment, so it would follow that there's going to be various oversights in integrating with such a varied environment (don't forget smart-phones too!)

  2. Android -- Never before has Java been so widely used as it is today, due in large part to Android. With more developers hammering at the platform (not the Android Platform, but the core platform of Java), its natural that more bugs are found, and as the developer world becomes more conscious of security, it is natural that these bugs be reported and disclosed.

  3. (tin-foil hat alert!) Conspiracy -- its possible Oracle is trying to kill Java (like Adobe killed Flash.) Reasons for this elude me as my conspiracy sombrero isn't big enough to conceive or contrive such fantastic things, but I don't exclude the possibility.

That's the extent of my wild conjecture.

Cheers,

-C

C.J. Steele
  • 415
  • 2
  • 5
  • 3
    #2 is not applicable, as Android does not make any use of the applet sandbox security model. #3 is also very dubious – Oracle has been pouring huge amounts of money into Java, and development is stronger than ever. – ntoskrnl Apr 07 '14 at 16:05
  • 2
    #1 also thin WRT to smart phones since neither Android nor iOS will run applets. – goldilocks Apr 07 '14 at 16:54
  • 1
    @ntoskrnl and goldilocks - why are you so hung up on applets? Can there not be security flaws without applets? – AviD Apr 08 '14 at 21:20
  • @ntoskrnl Read from here http://chat.stackexchange.com/transcript/message/14840511#14840511 – Adi Apr 10 '14 at 10:13
0

The jre 7 added a lot of new features and a lot of bugs. In Jan 2014 updates to the jre 7 made it radically harder to run applets.

user43876
  • 1