I always thought that, from day one, it was specifically designed to run untrusted code downloaded over the network in a secure sandbox. Java's over 15 years old and has always had the backing of a major company, so it's not like these are the growing pains of a new technology.
You might ask the same thing about Flash. You'd think that after the first dozen or so releases with gaping holes that they'd take a step back and rethink things.
I came up with a hypothesis about this kind of stuff not too long ago. Once your product becomes sufficiently crappy, nobody in their right mind will want to work on it. Good people will leave to get away from it. The project gets to a point where the badness "rubs off on you". Anyone who cares about their reputation will run from it.
Obviously, you can't write code without developers, so you start scraping the bottom of the barrel to get anyone who will work on it. You get people who don't care about their reputations and/or quality and are only there for a paycheck. You get green people fresh out of school who think everything is always nice and happy, and haven't been beaten down by the harsh reality of the industry yet.
The bozos got to the project, and broke it. Once that happened, the only people willing to work on it are more bozos (and the unfortunate ignorant folks who don't know any better).
I dubbed it "The Bozo Loop". I originally only intended for this to describe a specific situation (Flash), but since then it's become quite clear that it can extend to Java and many other things.
If they're both similar in this way, why did Flash win, or at least stay alive, while Java lost, to the point where most people can be told to turn it off and won't notice the difference?
We are only just now hitting the point where you could use HTML 5 video only for a broad reaching consumer site. Once this is no longer an issue flash will probably drop off a lot more.
I assume only having up to IE8 on XP is going to be an issue to full html5 video adoption for some time yet.
I don't think there's anything about Java the language, any more than any plugin.
It is the development and deployment methodology that is dated. Oracle (and the same went for Sun) issues updates on a scale of months. I think this is now turning out to be an unviable strategy for any platform that has to survive in the wild and run untrusted code. It's hard to swallow, but we have to accept:
1. Completely secure code is extraordinarily expensive and difficult to write. All cost effective software is going to contain vulnerabilities
2. The only path to security is aggressive discovery and disclosure followed up with an immediate patch and deploy mechanism
This is the new model which Chrome and various other end-user-facing software is running - silent, rapid updates and a product engineered from the ground up to support that without major regressions. Anybody who wants to be a player in the browser market basically has to adopt this model. If Oracle cares about retaining any presence of their browser plugin in modern browsers they need to drastically change course - but I'm not sure they do.
Because the JVM is written in C, and thus EVERY line of C code in it (which is millions, maybe tens of millions) has to be trusted. That's just the way C is (but not Java, to its credit). Anybody can introduce a security hole at any point, essentially.
There are ways to structure your code to mitigate this, but Java is almost 20 years old, so I'm sure there are a bunch of dark corners in there.
A more secure way to go about it would probably be to bootstrap the language more and write more of the VM in Java. I guess PyPy is exactly that, although I don't know enough to comment on its security.
Javascript interpreters are also written in C. Flash is written in C. HTML parsers are written in C.
All of these are exposed directly to untrusted code from the Internet, and none of them break at anything like the rate that Java seems to have done recently, nor get as much bad press as Java does. The closest analogy I can think of is MSIE in the post-Netscape, pre-Firefox era (c. 2001-2005).
Maybe the conclusion is, security holes don't get fixed if a technology is closed-source, is developed by a single large company, and there are no alternative implementations.
I'm willing to guess that the JVM source is an order of magnitude larger than any JS interpreter or Flash interpreter (I'd be interested in being corrected if wrong). The number of security holes is proportional to the trusted code size.
I thought that Java had a pretty good record until recently. As I wrote in a previous comment, what may have happened is that Windows and Flash and other ubiquitous client software really cleaned up their act in the last few years. So hackers started going for the JVM and Adobe Reader as vectors. The JVM wasn't under as much scrutiny when Windows was wide open, although that was quite a few years ago.
I wouldn't rule out other possible reasons either, e.g. the fact that there may have been a huge brain drain in JVM talent after the Oracle acquisition. Or a failure of software engineering processes after a re-org.
I agree that closed source software doesn't have a great security track record... but I think there are some other factors at play here, some of which I'm speculating on.
Guys, the cause of security is not helped by speculating wildly.
First of all, the Sun JVM is written in C++, not C. Second of all, the recent security problems are not the result of buffer overflows or other C++ coding problems, but design choices in the Java security model coupled with poor library coding. These vulnerabilities existed for a long time. The fact that they're only coming to light now is just a historical accident more than anything else. Oracle's response has been slow, but they did not create the problem. Sun did. (And I say that as a big fan of the old Sun Microsystems.)
The Java security model is supposed to allow you to keep both trusted and untrusted code in the same process space. Unfortunately, if any trusted library is poorly coded, you can use it to escalate your privileges. You can basically get something a lot like "eval" using the classloader and reflection.
This was a tradeoff that the Java language designers made. They chose to implement a powerful, but complex, sandboxing scheme. It would have been a lot simpler just to run the untrusted code in a separate process, like Chrome does. But that would have required interprocess communication. A lot of these 0-days have used this mechanism, or something like it, to exploit their privileges.
Another decision the Java web plugin designers made was to give plugins the ability to do almost everything native applications could do-- manipulate the filesystem, send network traffic, etc. This was another design choice that could have been made differently-- for example, Javascript historically never offered these kinds of abilities.
There have been a ton of Java 0-days and I don't have time to explain or research them all. But most of them flow directly out of the underinvestment in Java plugins over the last decade (a policy Sun started, and Oracle continued), and the fundamental design decisions made in the early days. I haven't seen any of them that were related to C or C++ (although I haven't examined all of them in detail so maybe there was one somewhere.)
I always thought that, from day one, it was specifically designed to run untrusted code downloaded over the network in a secure sandbox. Java's over 15 years old and has always had the backing of a major company, so it's not like these are the growing pains of a new technology.