Java Exploits -- Worse Than Adobe?

Sue Marquette Poremba

Adobe has gotten a lot of bad press lately, with reports of many security flaws and the need for more frequent patch releases. However, it now appears that Adobe has company: Java.

 

A Krebs on Security blog called Java a gift to exploit pack makers. As the blog stated:

Take one look at the newest kit on the block-"Blackhole"-and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.

Today, another Krebs on Security blog reported that Java vulnerabilities have caused a spike in PC attacks over the third quarter of 2010. Microsoft claimed that it is an unprecedented wave of attacks. A Computerworld story said:

According to a manager at Microsoft's Malware Protection Center (MMPC), attempts to exploit Java bugs have skyrocketed in the past nine months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter. ...

The odd thing is, the attacks are targeting three vulnerabilities that have been patched months ago, but the Computerworld story explained this as "Java blindness," where

vendors produce and sell intrusion-detection and -prevention software, which is designed to sniff out and stop exploits before they reach a company's computers.

Quoting Microsoft's Holly Stewart, the article said:

IDS/IPS vendors ... have challenges with parsing Java code," Stewart alleged. "Think about incorporating a Java interpreter into an IPS engine. ... [T]he performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness.

How to avoid the exploit? Krebs recommended, if you don't need Java, take it off your computer:

You can always reinstall it later if you find you need it. If you do use Java, then please keep it up to date. Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version. The program can also be set to check for updates every day or every week, although I have found Java's updater often fails to detect when a new version is available.


Add Comment      Leave a comment on this blog post
Oct 24, 2010 1:36 AM David David  says:

To address the rise of Sun Java exploits mentioned in this report, if for some reason you cannot simply patch Sun Java runtimes to the latest level, a list of all commonly exploited Sun Java runtime vulns with CVE numbers is at http://sharpesecurity.com/blog/2010/10/25/list-of-currently-exploited-sun-java-vulnerabilities/.  This list can be used to ensure your IPSes have all required blocks in place.

Reply
Nov 22, 2010 1:00 AM Intrusion Detection System Intrusion Detection System  says:

Interesting article. It seems that Adobe is getting pretty lax about ensuring their products are secure. Starting to look like they're hiring Windows developers. :P

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.