A French company that mines and sells zero-day exploits to governments says the lower cost of exploiting Java is attracting hackers towards it over Adobe’s Flash.
"We see that criminals are moving from Flash to Java. We don't see many Flash exploits in the wild these days," Chaouki Bekrar, chief of French security firm Vupen, told Kaspersky’s news service at the HP-TippingPoint CanSecWest hacking conference this week.
Vupen has gained a degree of infamy for its connections to government surveillance campaigns in the Middle East and its reluctance to cough-up exploits to vendors. For example, at last year’s Google-sponsored Pwn2Own contest at CanSecWest it withheld Chrome exploits from Google, despite the internet company paying $60,000 for the prize.
The company has done well at this year’s contest and says security risks of Java are so bad that the software needs a “redesign”, according to Vupen’s Bekrar.
Flash and Java share a common trait that make them popular amongst hackers: they’re both complex pieces of software on billions of systems.
Adobe Flash delivers web video content to billions of desktops, while Oracle’s Sun-inherited Java, an integral part of web applications, is on 3 billion machines. In the last month, both firms have released unscheduled updates to address zero-day flaws impacting users of their respective software.
Flash and Java are known to be popular targets for exploit writers, and the companies responsible for them have been investing in methods to minimise risks to users. But there’s a key difference in the results the two have achieved, which may explain why Russian security firm Kaspersky deemed Java as the most dangerous software in 2012.
In the context of attacks that exploit Flash and Java browser plugins, sandboxing has made Flash more difficult to exploit, according to Vupen’s Bekrar. Flash sandboxing in Firefox and Chrome thwarts the paths to install malware by isolating Flash processes from the system it resides on. There is no equivalent for the Java plugin.
"Writing exploits in general is getting much harder. Java is really easy because there's no sandbox,” said Bekrar.
“Flash is a different thing and it's getting updated all the time and Adobe did a very good job securing it. It's more expensive to create a Flash exploit than a Java one. Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure."
But the bigger problem for Oracle is that the sandboxing Adobe has implemented for Flash won’t have the same effect on Java.
“The code base is too big. Adding a sandbox in the browser won't change anything," said Bekrar.