Kaspersky has just released its analysis of security threats in Q3 2012 and top of the list is Java. This isn't encouraging given the recent bad press the language system has received.
There seems to have been something of a backlash against Java in the past few months. For example, not happy with just killing off Flash, Apple has now removed Java from its hardware. In addition many PC users were spooked into removing Java altogether, rather than just disabling its use in the browser.
Was all of this justified or is it some sort of conspiracy against Oracle via Java?
According to the latest findings from Kaspersky Labs, it does look as if the concerns have a basis in fact. It seems that Java played a role in 56% of attacks. The only thing that comes even close is Adobe Acrobat at 25%.
Kaspersky comments that the cross platform nature of Java makes it attractive to malware writers as well as to app developers. It also points out that the lack of an enforced Java update mechanism means that vulnerabilities tend to stay active for longer. With an estimated 1.1 billion Java installations, this seems all too reasonable.
Recently it seems that the sandboxing provided by the Hotspot VM has been compromised and this exploit not only turns up in targeted attacks but in exploit packs, allowing others to use the same entry points with little effort.
If Oracle wants to stem this tide of bad publicity it needs to reconsider the rate at which it generates patches and how it issues updates to the JRE.
It is also interesting to note that Windows and IE account for only 4% of vulnerabilities, which is possibly due to the enforced updates introduced in the last few years. Adobe Flash notched up an insignificant 3%. Could it be that malware writers have given up on it too? Android root attacks also accounted for only 2%.
The rest of the report is also worth reading.