Java browser plugin is cheaper to exploit than Flash

A French company that mines and sells zero-day exploits to governments says the lower cost of exploiting Java is attracting hackers towards it over Adobe’s Flash.

"We see that criminals are moving from Flash to Java. We don't see many Flash exploits in the wild these days," Chaouki Bekrar, chief of French security firm Vupen, told Kaspersky’s news service at the HP-TippingPoint CanSecWest hacking conference this week.

Vupen has gained a degree of infamy for its connections to government surveillance campaigns in the Middle East and its reluctance to cough-up exploits to vendors. For example, at last year’s Google-sponsored Pwn2Own contest at CanSecWest it withheld Chrome exploits from Google, despite the internet company paying $60,000 for the prize.

The company has done well at this year’s contest and says security risks of Java are so bad that the software needs a “redesign”, according to Vupen’s Bekrar.

Flash and Java share a common trait that make them popular amongst hackers: they’re both complex pieces of software on billions of systems.

Adobe Flash delivers web video content to billions of desktops, while Oracle’s Sun-inherited Java, an integral part of web applications, is on 3 billion machines. In the last month, both firms have released unscheduled updates to address zero-day flaws impacting users of their respective software.

Flash and Java are known to be popular targets for exploit writers, and the companies responsible for them have been investing in methods to minimise risks to users. But there’s a key difference in the results the two have achieved, which may explain why Russian security firm Kaspersky deemed Java as the most dangerous software in 2012.

In the context of attacks that exploit Flash and Java browser plugins, sandboxing has made Flash more difficult to exploit, according to Vupen’s Bekrar. Flash sandboxing in Firefox and Chrome thwarts the paths to install malware by isolating Flash processes from the system it resides on. There is no equivalent for the Java plugin.

"Writing exploits in general is getting much harder. Java is really easy because there's no sandbox,” said Bekrar.

“Flash is a different thing and it's getting updated all the time and Adobe did a very good job securing it. It's more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure."

But the bigger problem for Oracle is that the sandboxing Adobe has implemented for Flash won’t have the same effect on Java.

“The code base is too big. Adding a sandbox in the browser won't change anything," said Bekrar.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityjavaflash

More about Adobe SystemsCSOGoogleHPKasperskyOracleTippingPointTippingPoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place