Massive Amount of Malware Targets Older Java Flaws

Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."

Oracle Java: Bad

The problem we (as systems admins) have with Oracle Java is that they don't patch: they give you new versions. Each new version deprecates some things, adds new things, and breaks some things that worked before. So you end up with banking entities (looking at you Citigroup and others) that require you to use old, vulnerable versions in order to perform enterprise money transactions. You end up with the good vendors scrambling to get their code working, while the bad vendors just tell you that you have to run the old version of Java. It is so bad that we are working on a policy to keep new Java based (client) applications out and not allow the business units to bring them it. The damn thing is impossible to manage seeing as how you need the latest version but can't run it if you want your apps to work. Terrible software.

Re:Oracle Java: Bad

[TechyImmigrant]

>Yeah but what would the alternative be? .NET?

No. Programs.
Programs work. You write them and they run on computers.

If you're writing a thing within a thing that runs on a thing within another thing, then you're writing Java, not a program.

Re:Oracle Java: Bad

[allcoolnameswheretak]

Actually, the one practically undisputed big selling point of Java is backwards compatibility. In fact, most experienced developers I know would cite that Java's stringent backwards compatibility policy is one of the things that has been holding the platform back, impeding progress. As an experienced Java developer myself, I would claim that 95% of Java applications should be upgradable to the most recent version without any issues at all.

Re:Oracle Java: Bad

Those have performance issues. Look at Jmol vs. JSmol. JSmol is great, buy how many years will it be before it's as fast as Jmol? The demos on the test pages are using small molecules. The performance issues are magnified greatly when used to study molecules on the order of hundreds of thousands of atoms. Plus there are security issues. JS and HTML can't write files to the clients computer. What if your client wants files? You have to send the content to the server, and then back again to the client. So then the client has to trust you with their data. Java can write to their computer and doesn't have to send the data to the server first.

Re:Oracle Java: Bad

[BitZtream]

Which changes nothing other than the application your updating.

You realize that MS is the only company that gets the word 'patched'.

Firefox, chrome and opera all do the same as Oracle.

Not that MS hasn't introduced breaking changes and called them patches or anything.

If you think the browser is a stable platform you've clearly never done web development.

Re:Oracle Java: Bad

Good luck with that... having code that works in more than one VM is a big task. For example, am I stuck with a VM that has JCE, or do I have access to JSSE? Even then, a JVM on a Mac may not run code written by a JVM on Windows.

Oracle needs to do a complete library enema of Java and really get write once, run everywhere going properly, just like how MS cleaned up house going from .NET 1.x to 2.0.

If I want something that works across platforms, it would be JavaScript, or HTML5. No flash, no Java, no stupid-ass extensions that some malware writer will cornhole.

Re:Oracle Java: Bad

[hairyfeet]

As someone who no longer has to deal with corporate (thank God, Allah, Zeus and the FSM) what pisses me off is after YEARS of decline, to the point that finding Java installed on a home user or SMB was as rare as hen's teeth that god damned game came out and fucking obliterated 10 years of declining java overnight. I am of course talking about Minecraft, or as i call it "the STD of casual gaming"

The problem is...and i'm gonna get the Jfanboys screaming bloody fucking murder for daring to point this out, but Java just sucks ass when it comes to security, it really does. You can't even compare it to Windows or flash because with both of those you can turn on automatic update and you'll be fine, with java as you pointed out they do NOT patch, they REPLACE and that ends up breaking shit as often as it fixes it so naturally all it takes is java shitting all over an app after update for most folks to learn "Don't update java EVAR" which is how we are in this mess.

If we can't get the damned programmers to use something, ANYTHING other than java then we need an open source replacement, something that will just patch the bugs instead of screwing everything up by replacing. Hell maybe somebody could port the Google version android uses but make it compatible with standard Java apps, I don't know, all I do know is we need something better than fricking Java because down here in the trenches it makes Flash look like Fort Knox by comparison. You can't even get mad at people for turning off updates because their replacing instead of patching just leaves you with broken apps so its either leave their asses hanging in the breeze or give up on running anything that uses java. While that would be fine by me I have a feeling all the casual gamers won't let that happen.

Re:Oracle Java: Bad

[Sarten-X]

It's not the programmers that matter. Programmers can write Java and compile it with any JDK they please, and it should run on any JRE, including OpenJDK and its companion JRE project. I don't know how well they patch compared to Oracle, but it's an open-source replacement, which works pretty well in my experience.

Re:Oracle Java: Bad

Hardly true. I'm using a whole system (Gentoo Linux) with no .NET (thank you, junk belongs to..) and no Java (disabled on the system level). Here we go: a bunch of programs NOT using Java or .Net AND actually working. That is what people use when they want the job done. Or, you can look at a bunch of Java programmers writing tons of code in pity attempt to create some useful.
If they are trying to create desktop applications, that's in most cases laughable, with very few exceptions. The created monstrous dinosaurs work slow, consume a lot of resources, and are usually not any better than anything else from the point of functionality.
If they are creating 'Enterprise' software, than we usually see an enterprise-scale f-up, with HUGE hardware and human resources pulled in to perform even simplest tasks. I'm watching a comedy in progress, when a system performing about ten TPS requires six (6) application servers to work stably. But, of course, it's all latest Java technology, JBoss/Hibernate/etc. OTOH, JS+PHP based system does 300+TPS on a freaking laptop running same database.
Frankly speaking, I see both Java and .NET as deceases. Once your company catches them, it's very difficult to get cured.

Re:Oracle Java: Bad

[Gr8Apes]

Ugh, no.

My last two forays with OpenJDK have led me to never ever use it again. It is not compatible.

Re:Oracle Java: Bad

[Gr8Apes]

Interesting that the systems I've worked on for more than 10 years, some still running, don't seem to have these security issues you're whining about. Is that, perhaps, because they're almost all wholly related to the browser plugins? Disable that and woah... you don't have security problems.

Re:Oracle Java: Bad

[Sarten-X]

In the interest of being pedantic, OpenJDK is the reference implementation. Oracle's JRE is the one that isn't compatible.

Re:Oracle Java: Bad

[cgomezr]

If a Java application requires an older version of the platform, it's probably due to crappy coding (violating a precondition of some method, trusting undefined behaviour, using undocumented libraries that are not part of the standard API, etc.)

I have been developing in Java for like 12 years and I have never had any issues with backward compatibility. The closest I have had to an issue was a change to how word wrapping works in Swing text components in 1.7, which made an application look a bit uglier in that version (but fully functional).

In fact, one of the big advantages of Java IMHO is its great backwards compatibility... they take care not to break anything, stuff that was deprecated back in version 1.1 (1997) is still there and working.

As for compatibility between OSes (mentioned in some child threads), the only problems I've had in all these years were always my fault when I was a novice, on things like developing for Windows, expecting "blah.properties", creating "Blah.properties" and expecting it to work on Linux. Obviously Java can't deal with wrong assumptions by the developer, but if you don't do that kind of things, programs just work out of the box across OSes.

That said, I agree the Java update mechanism is horrendous. And that's when it works. It's pretty common for the update-system under Windows to leave you with redundant versions, and I have a win 7 machine where it just fails with an uninformative error message.

It's the Forrest Gump principle

[techno-vampire]

People who still use older versions of Java probably aren't up to date on other patches or updates either, making them even easier to exploit or infect. Stupid is as stupid does, and that includes IT policies that don't allow machines to be kept current when it comes to security.

Oracle Java UPDATER is the reason for this

[tstrunk]

Some posts above mine, people blame Oracle Java. I blame the updater.

My dad was hit by malware lately, which he got, because of an outdated Java on his system. He told me he always updated everything and blocked the install of everything else like toolbars. The last thing before he got the virus he remembered, was not allowing jusched.exe admin priviledges.

I get it: jusched mean java update scheduler and everytime it's run it asks for admin priviledges. First of all:
1.) This should be updated automatically by a package manager, hence I blame Microsoft
2.) If 1.) is not the case, it should at least be called JAVA UPDATE PROCESS
3.) It should display some kind of information before requesting Admin rights.

Not many people outside of Slashdot know what jusched.exe is. Updating needs to be automated. Actually: We should somehow take this into our own hands and provide OpenJDK for Windows also ourselves and get people to switch. Maybe even without the ASK Toolbar

Re:Oracle Java UPDATER is the reason for this

[radarskiy]

Now you've solved two problems.

It's Java Browser Plugin!

[coder111]

How many times do I have to repeat this. ALMOST ALL THE VULNERABILITIES TARGET JAVA APPLETS THAT RUN WITH JAVA PLUGIN INSIDE BROWER. This is not java the language in general, this is not even the JVM, this is the stupid applet sandbox. And nobody uses applets for anything anymore, this is obsolete technology maintained for backwards compatibility.

95% of Java today is running on the server-side. And there are very few security problems there.

Given the amount of articles and FUD targeted at Java on Slashdot in recent months, they could have gotten this right by now. Editors, please be explicit about this being java APPLET/BROWSER PLUGIN vulnerability every time this comes up. This is not Java language vulnerability.

--Codera