Adobe Flash has a new zero-day every week, but we were saddled with it for years past when it should have been retired because some people didn't want HTML5 to have feature-parity with Flash.
Java has a new zero-day every week but we're stuck with it because enterprises are afraid of trying something new.
Windows was wide open to attacks for years, but they got away with it by saying "yeah but Apple is so expensive" and people still parrot that. They said "yeah but Linux is stolen technology/doesn't work right" and people still parrot that.
Android has a new malware/exploit warning every week, the majority of the phones never see security updates, and are running outdated software the minute they're shipped to stores but people say "yeah but Apple is so expensive/locked down" or "Windows Phone doesn't have any apps".
I have friends who lost their credit card numbers at Home Depot but refuse to shop at Lowes because they don't like the NASCAR driver that Lowes sponsors.
People get so caught up in brand loyalty that they're willing to defend "their" company like it's a family member. Even among the tech community, security means nothing. We still use Android phones to get root access, we still use Windows to save some money on our laptops, we still program in PHP because it pays the bills.
Nothing will ever be catastrophic enough. Anyone can get away with it just by creating an "us vs them" mentality with their customers.
No it doesn't. The last one was in 2015. Before that I think there was a two year gap to the prior one. Zero days in Java are actually very rare these days.
That doesn't mean bugs are rare - like any large piece of software Java gets regular security patches, but those are flaws found by the developers themselves rather than attackers, so they aren't zero days.
Remember in 2012 when Apple stopped shipping Java with their browser because it was so insecure?
Long ago I read something about that. The psych came down to the (false) idea that changing brand would confirm that you were wrong. The example was that even if Ford made better cars back in the day so you're a diehard Ford owner, if they quality demonstrably falls behind and Chevy is demonstrably awesome today you still won't change! And that's a case where your prior decision was actually right. So people have these weird internal notions that 1) companies value doesn't change over time, 2) their value doesn't change in light of new evidence, and 3) My own value is somehow tied to making a "correct" decision in spite of cognitive errors #1 and #2.
People are stubborn, and that's being kind about it.
Well, Java applets did die. What more do you want? The Java sandbox is only used by extremely legacy software at this point, so it doesn't matter if it has holes in it. Actually, the more holes the better, so we can get rid of the last holdouts.
