Microsoft: Java Worse Than PDF as Security Threat
Java should be considered a top software security threat, even more so than Adobe PDF files, according to Microsoft's announcement issued today.
Exploit attempts leveraging Java peaked at more than six million in the third quarter. In contrast, exploit attempts tapping PDF files in that same time period were measured in the thousands, according to MMPC data.
The Java exploit attempts on Windows machines used known security issues for the most part for which Microsoft has already issued patches, according to Stewart. Those patches include CVE-2008-5353, CVE-2009-3867 and CVE-2010-0094, all of which are associated with the Java runtime environment. Microsoft particularly noted exploits associated with the CVE-2008-5353 bulletin as "a major problem."
The low profile for Java as a software security attack vector is due, in part, from the lower volume of attacks compared with malware families such as Zbot, according to Stewart. She also speculated that makers of intrusion prevention system software have trouble figuring out Java code themselves and so haven't sounded the alarm.
Stewart pointed to a post by security researcher Brian Krebs as one of the few outlets pointing to Java as a potential security problem. According to Krebs, the regular monthly Java patches delivered by Oracle through automatic updates aren't frequent enough to ward off potential attacks. He recommended increasing the frequency of Java update checks. Alternatively, for those not really needing Java, he recommended just removing the java runtime environment altogether.
Still, Java is popularly used. According to Oracle's Web site, "Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.