Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Amount of Malware Targets Older Java Flaws

Posted by samzenpus on from the soft-target dept.

Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."

3 of 102 comments (clear)

  1. Oracle Java: Bad by Anonymous Coward · · Score: 5, Informative

    The problem we (as systems admins) have with Oracle Java is that they don't patch: they give you new versions. Each new version deprecates some things, adds new things, and breaks some things that worked before. So you end up with banking entities (looking at you Citigroup and others) that require you to use old, vulnerable versions in order to perform enterprise money transactions. You end up with the good vendors scrambling to get their code working, while the bad vendors just tell you that you have to run the old version of Java. It is so bad that we are working on a policy to keep new Java based (client) applications out and not allow the business units to bring them it. The damn thing is impossible to manage seeing as how you need the latest version but can't run it if you want your apps to work. Terrible software.

    1. Re:Oracle Java: Bad by Anonymous Coward · · Score: 5, Informative

      Those have performance issues. Look at Jmol vs. JSmol. JSmol is great, buy how many years will it be before it's as fast as Jmol? The demos on the test pages are using small molecules. The performance issues are magnified greatly when used to study molecules on the order of hundreds of thousands of atoms. Plus there are security issues. JS and HTML can't write files to the clients computer. What if your client wants files? You have to send the content to the server, and then back again to the client. So then the client has to trust you with their data. Java can write to their computer and doesn't have to send the data to the server first.

    2. Re:Oracle Java: Bad by Sarten-X · · Score: 2, Informative

      It's not the programmers that matter. Programmers can write Java and compile it with any JDK they please, and it should run on any JRE, including OpenJDK and its companion JRE project. I don't know how well they patch compared to Oracle, but it's an open-source replacement, which works pretty well in my experience.

      --
      You do not have a moral or legal right to do absolutely anything you want.