The most commonly used programming language is also the most vulnerable
Earlier this week, Tiobe Software released a report showing its Tiobe index:
The TIOBE Programming Community index is an indicator of the popularity of programming languages. The index is updated once a month. The ratings are based on the number of skilled engineers world-wide, courses and third party vendors. The popular search engines Google, Bing, Yahoo!, Wikipedia, YouTube and Baidu are used to calculate the ratings. Observe that the TIOBE index is not about the best programming language or the language in which most lines of code have been written.
I took a look at the index and it makes some rough sense; these are the most used programming languages. In order of the most to the least, here are the top 10:
- Java
- C
- C++
- C#
- PHP
- Objective-C
- Visual Basic
- Python
- Perl
- Javascript
I have used Java a lot in the past. Many years ago, before I started fighting spam, I wrote a stock market charting application. I did this because I liked investing in stocks but I was too cheap to pay for a subscription to an existing application that I used previously (I was recently laid off but was freelancing – this was a bit after the dot com bust, around 2003 or 2004). I then extended the application into a trading simulator where you could practice buying and selling trades. I even made it so that if you entered in a passkey, based upon your username and using an encryption mechanism, it would unlock many other stocks that you could practice on. It was a pretty neat application at the time and how I built my coding skills.
Then I got a real job and paid for a subscription to my other charting service. But to this day, I haven’t found a good application to test trading. I’ve always thought that based upon my regex skills (I subsequently wrote a ton of Perl applications to do screening) I could have written a great application myself. I never did… but it would have been cool.
I selected Java because I had a GUI to develop in (NetBeans) and the language was platform independent. Development was free, other than my personal time.
My cat is also named Java (although I didn’t name her, my brother did).
Looking at the TIOBE index, a lot of other people have also selected Java as their language of choice. I am surprised that it is more common than either C or C++ but I guess the reasons others use it is similar to my own.
But if I were to pick a platform today, I wouldn’t use Java. Why not? Because there are so many security vulnerabilities.
In the latest version of the Microsoft Security Intelligence Report, in the Key Findings, the most commonly exploited platform is Java. Observe how in the last half of 2010, Java exploits exploded:
As the report says, malware written in Java has been around for years but attackers had not focused on it until recently.
In a blog post published last October 2010 on the Microsoft Malware Protection Center, Holly Stewart wrote that the MMPC team had discovered an unprecedented level of malware attacks on Java, far supplanting Adobe pdf vulnerabilities. As Stewart writes, the attack is driven by a couple of vulnerabilities – increasing from hundreds to thousands to millions.
![Java-PDF-Attacks-through-2010Q3[1]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/62/58/metablogapi/5824.JavaPDFAttacksthrough2010Q31_4ECD269A.gif "Java-PDF-Attacks-through-2010Q3[1]")
I started noticing Java vulnerabilities a few months ago when I kept getting notices to update my Java software through their auto-update. I said to myself “Sheesh, how many times do I have to update Java? I’m doing this almost every other day! It’s worse than Adobe!”
Brian Krebs wrote in late 2010 that “he urged readers who have no need for Java to remove the program, because failing to keep this software updated with the latest security patches exposes users to dangerous, ubiquitous attacks.”
In their 2010 Annual Security Report, Cisco says “Cybercriminals aim their campaigns at software programs, devices, and operating systems where they can reach the widest net of potential victims, as demonstrated by the noticeable increase in exploits involving the Java programming language—and the ongoing use of PDF documents to launch exploits. At this point, Java appears to be the greater threat. ”
Having established in late 2010 that Java is a big threat, and I haven’t seen a lot of data indicating that it has gotten better, we are in a situation where the most commonly used programming language is also the one with the greatest increase in exploits. Whereas before Microsoft was the most targeted platform, as Microsoft has clamped down on vulnerabilities (disabling Autorun, new security model in Windows 7 and Vista vs XP), spammers have moved onto the next most enticing platform.
People don’t necessarily stop to think about updating 3rd party software. Windows updates almost automatically, but 3rd party software is not yet as good at it (although Adobe has gotten better and Java is alright). Still, the fact that Java is so common gives hackers a pretty wide target to go after for the next little while until this window of opportunity closes.
One can only guess who will be next. But it will be ubiquitous (like Windows and Flash are) and doesn’t update that frequently.