Cybercriminals Mourn Java Plug-In DeathOracle Deep-Sixes Browser Plug-In
See Also: Threat Horizons Report
Oracle announced its decision "to deprecate the Java browser plugin in JDK 9," in a Jan. 27 blog post. "This technology will be removed from the Oracle JDK and JRE in a future Java SE release." The future release in question appears to be version 9 of the Java development kit, which Oracle plans to release on Sept. 22.
"Oracle's Java plug-in move has no doubt sparked fury from cybercrime kingpins."
Oracle has attempted to portray the decision to kill the Java browser plug-in as being out of its hands. Indeed, it has blamed browser makers' planned or already executed "removal of standards-based plugin support" for robbing browser users of their right to employ not just Java, but also Adobe Flash and Microsoft Silverlight.
In place of the Java plug-in for browsers, Oracle advocates applet-generating technology called Java Web Start - a.k.a. JAWS - which was first introduced by former Java owner Sun in 2001.
Crimeware Community Craves Java
Oracle's Java plug-in move has no doubt sparked fury from cybercrime kingpins, who since 2010 have been lauding the Java plug-in for its wide install base, the easy exploitability of "older" plug-ins - generally referring to any version at least a few weeks old - as well as its ability to enable them to automatically target and exploit large numbers of PCs at once. By adding in Java exploits, they also report being able to command record prices for the exploit toolkits that they lease or sell to the cybercrime community.
Similarly, Oracle's decision to not enable users to easily identify when they were running older, vulnerable versions of the plug-in has given cybercriminals an even bigger "attack surface" to target. Indeed, many users have been inadvertently running two or more vulnerable versions of old Java on any given endpoint.
That's why it's no surprise that leading cybercrime toolkit sellers regularly include exploits for Java, which reportedly work on an average of 10 percent of all PCs. But after the emergence of a new zero-day flaw in Java, the exploit success rate has occasionally spiked to an estimated 80 percent, at least based on studies of the Blackhole exploit kit. That's been music to cybercriminals' ears, thus allowing them to quickly compromise large numbers of PCs and ransack them for sensitive data, or turn them into nodes for launching distributed denial-of-service attacks or spam.
Will cybercriminals now be forced to look elsewhere to make a fast buck?