A Tidal Wave of Java Flaw Exploitation 238
tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack."
Several days ago, Oracle released a patch that fixed 29 Java security flaws.
Patches have been available for a long time (Score:4, Insightful)
FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.
So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.
Re:Patches have been available for a long time (Score:5, Insightful)
I've run out of space in my head for all the different tools I need to seperately manage updates for.
Re:Nerd rage (Score:5, Insightful)
Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?
Re:JVM on Windows? (Score:1, Insightful)
You are missing the point. If you are distributing a JVM to run your application, chances are you are only running your code, and you are doing so outside a sandbox.
Untrusted Java code is typically run either as a web browser applet, or as a Java web start application. Typical scenerio: User visits bad web page (or sees a bad ad) with a Java applet. It loads, exploits a vulnerability in the Java sandbox, and executes its code. Applets are in the browsers code domain, so it is possible that the web browser may catch that. Java web start is a bit tricker to get the user to start up, but it executes in its own domain.
Many of the vulnerabilities seem to be tied to deserialization, which is not surprising, given that Java deserializes objects using reflection and magic to set fields and bypass execution of the constructor. The approach makes it easier to write serializable objects, but makes it harder to check everything.
Re:Patches have been available for a long time (Score:4, Insightful)
Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.
That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.
Re:Patches have been available for a long time (Score:3, Insightful)
Plus, the patch wants you to install a massive amount of crapware in order to patch your system.
Re:Patches have been available for a long time (Score:2, Insightful)
"Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.
Re:How? (Score:2, Insightful)
Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
Theoretically it allows user to turn it off.
When I turn it off, close java config and reopen - schedule is still active.
Cutting in registry is the proper sollution.
Re:How? (Score:3, Insightful)
Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.
An update tool should not attempt to install additional software.