In June 1996, Sun Microsystems' Java was at the all-time peak of hype.

"A Java-free world wide web is static says the marketing hype," Information Age trumpeted at the time. "It's like turning the pages of a brochure.

"Java makes the Web twist and shout with interactive multimedia and other applications that can only be guessed at."

Exactly 16 years later, some of those other applications for Java became clear: a whopping 50 percent of exploits in 2012 saw cybercriminals take advantage of Java security holes.

Many of these exploits were 0day (zero day) – that is, unpatched at the time they were exploited by malicious operators.

Thus the programming language once described as "too darn hot" and "one of the industry's most hyped arrivals" became a software pariah that computer experts urged should be purged from machines worldwide.

Destroying Java's competitive advantage

The 'Father of Java', Dr James Gosling, made his way to Australia in early 1996 to spread the good word on his new web programming language.

He was "slightly bemused" at the attention it had already received – having a programming language splashed across mainstream publications like Newsweek and Time wasn't normal then, and still isn't.

 

 

Sitting in Sydney's Park Hyatt, Gosling happily posed with coffee in hand, a fairly unsubtle (and clichéd) mimicry of the famous coffee cup Java logo.

When the conversation turned to security, Gosling was only too keen to note that Java had its bases covered.

"Gosling says security is the number one issue and Java has a competitive advantage," the article boasted.

"So far no one has broken into an application built using Java," Gosling chimed in, claiming one of the reasons for this was "really good relations with essential parts of the (former) KGB" who Sun tapped for cryptographic skills.

However, the article did note that "Java's judgment day [was] some way off."

"Gosling is first to admit current hype is just the beginning. The real test will come when Java developed applications flow through the Net onto our desktops."

And Java was tested in a big way by cybercriminals.

Kaspersky Lab said that while it "called 2011 the year of the vulnerability, 2012 can justifiably be described as the year of the Java vulnerability, with half of all detected exploit-based attacks targeting vulnerabilities in Oracle Java."

(By this stage, Sun had been acquired by Oracle, making Java maintenance Oracle's problem).

"Today, Java is installed on more than three billion devices running under various operating systems," Kaspersky continued.

"Therefore, cross-platform exploits can be created for certain Java vulnerabilities. During [2012], we detected both broad-scale attacks using exploit kits, and targeted attacks using Java exploits that targeted both PCs and Mac computers."

Such exploits of Java have declined since then, but Java maintains an image problem.

website counter claims it has been 634 days without such an exploit appearing. The last major exploit was in 2013.