March 15, 2013
Tracking Days Since the Last Java 0-day Vulnerability
Following the discovery of a brand-new Java zero-day vulnerability by FireEye on February 28th and a recent spate of zero-day vulnerabilities in the news, an anonymous user has created a website to track how many days have passed since the last known Java zero-day. As of the writing of this article, the counter stands at 8 days. While the site has only been online since March 2nd, the author notes that the counter has not yet reached ten.
According to the FAQ, the author created the site with the intent of raising awareness. Links are provided to the Wikipedia article on Browser Security, an F-secure article on enabling Click to Play for Flash, and the W3C article on the Same-Origin-Policy. Their efforts seem to be working as the site has been making the rounds on Reddit and other infosec blogs.
In a tongue-in-cheek dig at Java, the site includes room for 3 digits on the counter. Considering the popularity of Java and the number of 0-day vulnerabilities that have been found in recent memory, it seems unlikely all 3 spaces will ever be used. A series of milestones are listed at the bottom of the page as well, replete with nerdy references such as the 42-day milestone being named “Deep Thought”, the name of the supercomputer in Douglas Adams’ Hitchhiker’s Guide to the Galaxy responsible for giving the famous answer of 42 after being asked the ultimate question of life, the universe, and everything. The only milestone to be reached thus far is the 1 week milestone, named “Close call”. This humor serves to offset the real fact that browser vulnerabilities can have devastating consequences for businesses and consumers.
To check it out and raise your own awareness of browser security, head over to www.java-0day.com.