Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Tidal Wave of Java Flaw Exploitation

Posted by Soulskill on from the surf's-up dept.

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

9 of 238 comments (clear)

  1. Patches have been available for a long time by adisakp · · Score: 3, Insightful

    FTA: The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.

    So unpatched machines are vulnerable. Perhaps people don't auto-update Java as often.

    1. Re:Patches have been available for a long time by lgw · · Score: 4, Insightful

      I've run out of space in my head for all the different tools I need to seperately manage updates for.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Patches have been available for a long time by ADRA · · Score: 3, Insightful

      Java web start allows a developer to specify an exact version of the JVM to run. If that JVM doesn't exist, it could be downloaded from Oracle through the web start installation process. I'm not sure if you can specify flaw enabled versions of the JVM anymore, but at least there are dialogs and choices to make before the JVM gets installed anyways, so a naked web site can't just inject a bad JVM into your system based on an exploit web start file. The same goes for applets these days, as applets and web start start merging into some sort of common entity.

      That said, there are a lot of 3rd party vendors that have installed JVM's over things, and set environment variables that break other things over the years (Oracle DB client I'm looking at you!) that can cause all sorts of compatibility problems.

      --
      Bye!
    3. Re:Patches have been available for a long time by Darkness404 · · Score: 2, Insightful

      Exactly. Java has become a massive security hole with exploits left and right with fewer and fewer things that use it.

      Plus, the patch wants you to install a massive amount of crapware in order to patch your system.

      --
      Taxation is legalized theft, no more, no less.
    4. Re:Patches have been available for a long time by tuffy · · Score: 2, Insightful

      "Write Once, Run on a Very Specific Virtual Machine Version Which We'll Download For You Automatically" doesn't sound quite so appealing.

      --

      Ita erat quando hic adveni.

  2. Re:Nerd rage by interkin3tic · · Score: 4, Insightful

    Honestly? Or is it more likely one individual organization of malware authors suddenly realized that Oracle was being lazy about updating?

  3. Re:JVM on Windows? by Anonymous Coward · · Score: 1, Insightful

    You are missing the point. If you are distributing a JVM to run your application, chances are you are only running your code, and you are doing so outside a sandbox.

    Untrusted Java code is typically run either as a web browser applet, or as a Java web start application. Typical scenerio: User visits bad web page (or sees a bad ad) with a Java applet. It loads, exploits a vulnerability in the Java sandbox, and executes its code. Applets are in the browsers code domain, so it is possible that the web browser may catch that. Java web start is a bit tricker to get the user to start up, but it executes in its own domain.

    Many of the vulnerabilities seem to be tied to deserialization, which is not surprising, given that Java deserializes objects using reflection and magic to set fields and bypass execution of the constructor. The approach makes it easier to write serializable objects, but makes it harder to check everything.

  4. Re:How? by Kvasio · · Score: 2, Insightful

    Perheps this is because each java update forces the bloody 'autoupdater service' (jusched).
    Theoretically it allows user to turn it off.
    When I turn it off, close java config and reopen - schedule is still active.
    Cutting in registry is the proper sollution.

  5. Re:How? by WuphonsReach · · Score: 2, Insightful

    After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

    Probably because the Java updater is a piece of garbage that constantly tries to get you to install toolbars from Bing! or Yahoo! or whoever else is attempting to line their pockets this month.

    An update tool should not attempt to install additional software.

    --
    Wolde you bothe eate your cake, and have your cake?