Massive Amount of Malware Targets Older Java Flaws

Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."

Re:Oracle Java: Bad

[allcoolnameswheretak]

Actually, the one practically undisputed big selling point of Java is backwards compatibility. In fact, most experienced developers I know would cite that Java's stringent backwards compatibility policy is one of the things that has been holding the platform back, impeding progress. As an experienced Java developer myself, I would claim that 95% of Java applications should be upgradable to the most recent version without any issues at all.

Re:Oracle Java: Bad

[BitZtream]

Which changes nothing other than the application your updating.

You realize that MS is the only company that gets the word 'patched'.

Firefox, chrome and opera all do the same as Oracle.

Not that MS hasn't introduced breaking changes and called them patches or anything.

If you think the browser is a stable platform you've clearly never done web development.

Re:Oracle Java: Bad

Good luck with that... having code that works in more than one VM is a big task. For example, am I stuck with a VM that has JCE, or do I have access to JSSE? Even then, a JVM on a Mac may not run code written by a JVM on Windows.

Oracle needs to do a complete library enema of Java and really get write once, run everywhere going properly, just like how MS cleaned up house going from .NET 1.x to 2.0.

If I want something that works across platforms, it would be JavaScript, or HTML5. No flash, no Java, no stupid-ass extensions that some malware writer will cornhole.

Oracle Java UPDATER is the reason for this

[tstrunk]

Some posts above mine, people blame Oracle Java. I blame the updater.

My dad was hit by malware lately, which he got, because of an outdated Java on his system. He told me he always updated everything and blocked the install of everything else like toolbars. The last thing before he got the virus he remembered, was not allowing jusched.exe admin priviledges.

I get it: jusched mean java update scheduler and everytime it's run it asks for admin priviledges. First of all:
1.) This should be updated automatically by a package manager, hence I blame Microsoft
2.) If 1.) is not the case, it should at least be called JAVA UPDATE PROCESS
3.) It should display some kind of information before requesting Admin rights.

Not many people outside of Slashdot know what jusched.exe is. Updating needs to be automated. Actually: We should somehow take this into our own hands and provide OpenJDK for Windows also ourselves and get people to switch. Maybe even without the ASK Toolbar

Re:Oracle Java: Bad

[Sarten-X]

In the interest of being pedantic, OpenJDK is the reference implementation. Oracle's JRE is the one that isn't compatible.