BT

Your opinion matters! Please fill in the InfoQ Survey!

Researchers Highlight Recent Uptick in Java Security Exploits

| by Tim Cull Follow 0 Followers on Oct 25, 2010. Estimated reading time: 2 minutes |

Microsoft researcher Holly Stewart pointed out this week on his blog that Java has now passed Adobe Reader as the most common target for malware. Mr. Stewart reports that most Java security exploits seen "in the wild" are targeting issues that have had fixes available for some time. In particular, three long-known issues with the Oracle JVM around Calendar deserialization, long file URLs, and RMI connections represent an outsized portion of attacks.

Security researcher Brian Krebs hypothesizes on his blog that these long-standing holes are seeing a surge of exploitation because "exploit pack" makers have recently started including functionality specifically targeted at these issues. Exploit packs are pre-configured pieces of software sold by hackers to criminal rings. Criminal rings then use the exploit packs to take over computers that visit tainted web sites. The most sophisticated exploit packs have professional-looking management and statistics consoles that tell the buyer how successful they've been gaining access to computers. Mr. Krebs sites proportedly real-life screenshots of these consoles as evidence that Java is a favorite target.

All of the three favorite Java security holes have been fixed since at least March and one was even fixed in April, 2009. But the report suggests that many computers have not been patched with the fixes. A very large percentage of computers are running old versions of Java. Statistics site StatOwl detected more than 10% of users have only Java version 1.4 or 1.5 installed, both of which have not been supported by Oracle for more than a year. Even on computers running version 1.6, more than half are not running a recent patch that addresses the worst vulnerabilities.

There may be a variety of reasons why computers have not been upgraded. Often, consumers do not know that they are running Java at all, much less which version they have nor how to upgrade it. In the enterprise, desktops are often required to keep older versions of Java to support in-house applications that haven't been upgraded yet or to support vendor applications that have not been upgraded yet. For example, according to Oracle, if 1.6 update 22 is applied: "The fix for CVE-2010-3560 could cause certain Java applets running in the new Java Plug-in to stop working if they are embedded in web pages which contain JavaScript that calls into Java in order to perform actions which require network security permissions." Even Oracle products can have issues with minor Java point releases so IT managers are likely to be cautious at all times. Likewise, legacy applications that still run on Java 1.5 could be vulnerable because Oracle stopped support for 1.5 in November, 2009 and will only issue patches to Java for Business subscribers.

This week, Oracle released update 22 to JDK 1.6 that fixed 29 security issues, some of them major. Java developers often assume that their applications are immune to security holes because of the sandbox that the JVM supplies. But under the bytecode, the JVM implementation itself still has direct access to memory and is implemented in an un-sandboxed language like C.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Re: Researchers Highlight Recent Uptick in Java Security Exploits by Anthony Rivera

very useful info. Thanks.

Yes, but by Mike Mormando

While this is interesting, where are the the number of vulnerabilities in MS based technologies?
Or would that totally mess up the scale, making these two types insignificant??

FUD pure and simple by Eric Bresie

Although there are likely security concerns to be aware of...

This article seems limited to only two third party products (Java and Flash), neither of which is provided by Microsoft.

If they included more info on C#/CLR/.NET products, Silverlight or MS Office products, then I would give it more credibility.


Why would MS punditry be discussing this? Maybe to get people to update their products? To get third parties to update their products? To persuade people to use their products? You make the call.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

3 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT