Forgot your password?
typodupeerror
Oracle Java Security Windows News

A Tidal Wave of Java Flaw Exploitation 238

Posted by Soulskill
from the surf's-up dept.
tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.
This discussion has been archived. No new comments can be posted.

A Tidal Wave of Java Flaw Exploitation

Comments Filter:
  • by adisakp (705706) on Monday October 18, 2010 @04:11PM (#33937796) Journal

    FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.

    So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

  • by lgw (121541) on Monday October 18, 2010 @04:16PM (#33937894) Journal

    I've run out of space in my head for all the different tools I need to seperately manage updates for.

  • Re:Nerd rage (Score:5, Insightful)

    by interkin3tic (1469267) on Monday October 18, 2010 @04:19PM (#33937948)

    Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?

  • Re:JVM on Windows? (Score:1, Insightful)

    by Anonymous Coward on Monday October 18, 2010 @04:33PM (#33938180)

    You are missing the point. If you are distributing a JVM to run your application, chances are you are only running your code, and you are doing so outside a sandbox.

    Untrusted Java code is typically run either as a web browser applet, or as a Java web start application. Typical scenerio: User visits bad web page (or sees a bad ad) with a Java applet. It loads, exploits a vulnerability in the Java sandbox, and executes its code. Applets are in the browsers code domain, so it is possible that the web browser may catch that. Java web start is a bit tricker to get the user to start up, but it executes in its own domain.

    Many of the vulnerabilities seem to be tied to deserialization, which is not surprising, given that Java deserializes objects using reflection and magic to set fields and bypass execution of the constructor. The approach makes it easier to write serializable objects, but makes it harder to check everything.

  • by ADRA (37398) on Monday October 18, 2010 @04:33PM (#33938194)

    Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.

    That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.

  • by Darkness404 (1287218) on Monday October 18, 2010 @04:35PM (#33938220)
    Exactly. Java has become a massive security hole with exploits left and right with fewer and fewer things that use it.

    Plus, the patch wants you to install a massive amount of crapware in order to patch your system.
  • by tuffy (10202) on Monday October 18, 2010 @04:40PM (#33938304) Homepage Journal

    "Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.

  • Re:How? (Score:2, Insightful)

    by Kvasio (127200) on Monday October 18, 2010 @05:17PM (#33938888)

    Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
    Theoretically it allows user to turn it off.
    When I turn it off, close java config and reopen - schedule is still active.
    Cutting in registry is the proper sollution.

  • Re:How? (Score:3, Insightful)

    by WuphonsReach (684551) on Tuesday October 19, 2010 @12:03PM (#33947634)
    After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

    Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.

    An update tool should not attempt to install additional software.

New systems generate new problems.

Working...