Adobe has gotten a lot of bad press lately, with reports of many security flaws and the need for more frequent patch releases. However, it now appears that Adobe has company: Java.
A Krebs on Security blog called Java a gift to exploit pack makers. As the blog stated:
Take one look at the newest kit on the block-"Blackhole"-and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.
Today, another Krebs on Security blog reported that Java vulnerabilities have caused a spike in PC attacks over the third quarter of 2010. Microsoft claimed that it is an unprecedented wave of attacks. A Computerworld story said:
According to a manager at Microsoft's Malware Protection Center (MMPC), attempts to exploit Java bugs have skyrocketed in the past nine months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter. ...
The odd thing is, the attacks are targeting three vulnerabilities that have been patched months ago, but the Computerworld story explained this as "Java blindness," where
vendors produce and sell intrusion-detection and -prevention software, which is designed to sniff out and stop exploits before they reach a company's computers.
Quoting Microsoft's Holly Stewart, the article said:
IDS/IPS vendors ... have challenges with parsing Java code," Stewart alleged. "Think about incorporating a Java interpreter into an IPS engine. ... [T]he performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness.
How to avoid the exploit? Krebs recommended, if you don't need Java, take it off your computer:
You can always reinstall it later if you find you need it. If you do use Java, then please keep it up to date. Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version. The program can also be set to check for updates every day or every week, although I have found Java's updater often fails to detect when a new version is available.