Slashdot Mirror

← Back to Stories (view on slashdot.org)

Massive Amount of Malware Targets Older Java Flaws

Posted by samzenpus on from the soft-target dept.

Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."

5 of 102 comments (clear)

  1. Oracle Java: Bad by Anonymous Coward · · Score: 5, Informative

    The problem we (as systems admins) have with Oracle Java is that they don't patch: they give you new versions. Each new version deprecates some things, adds new things, and breaks some things that worked before. So you end up with banking entities (looking at you Citigroup and others) that require you to use old, vulnerable versions in order to perform enterprise money transactions. You end up with the good vendors scrambling to get their code working, while the bad vendors just tell you that you have to run the old version of Java. It is so bad that we are working on a policy to keep new Java based (client) applications out and not allow the business units to bring them it. The damn thing is impossible to manage seeing as how you need the latest version but can't run it if you want your apps to work. Terrible software.

    1. Re:Oracle Java: Bad by allcoolnameswheretak · · Score: 4, Interesting

      Actually, the one practically undisputed big selling point of Java is backwards compatibility. In fact, most experienced developers I know would cite that Java's stringent backwards compatibility policy is one of the things that has been holding the platform back, impeding progress. As an experienced Java developer myself, I would claim that 95% of Java applications should be upgradable to the most recent version without any issues at all.

    2. Re:Oracle Java: Bad by Anonymous Coward · · Score: 5, Informative

      Those have performance issues. Look at Jmol vs. JSmol. JSmol is great, buy how many years will it be before it's as fast as Jmol? The demos on the test pages are using small molecules. The performance issues are magnified greatly when used to study molecules on the order of hundreds of thousands of atoms. Plus there are security issues. JS and HTML can't write files to the clients computer. What if your client wants files? You have to send the content to the server, and then back again to the client. So then the client has to trust you with their data. Java can write to their computer and doesn't have to send the data to the server first.

    3. Re:Oracle Java: Bad by BitZtream · · Score: 4, Interesting

      Which changes nothing other than the application your updating.

      You realize that MS is the only company that gets the word 'patched'.

      Firefox, chrome and opera all do the same as Oracle.

      Not that MS hasn't introduced breaking changes and called them patches or anything.

      If you think the browser is a stable platform you've clearly never done web development.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  2. Oracle Java UPDATER is the reason for this by tstrunk · · Score: 5, Interesting

    Some posts above mine, people blame Oracle Java. I blame the updater.

    My dad was hit by malware lately, which he got, because of an outdated Java on his system. He told me he always updated everything and blocked the install of everything else like toolbars. The last thing before he got the virus he remembered, was not allowing jusched.exe admin priviledges.

    I get it: jusched mean java update scheduler and everytime it's run it asks for admin priviledges. First of all:
    1.) This should be updated automatically by a package manager, hence I blame Microsoft
    2.) If 1.) is not the case, it should at least be called JAVA UPDATE PROCESS
    3.) It should display some kind of information before requesting Admin rights.

    Not many people outside of Slashdot know what jusched.exe is. Updating needs to be automated. Actually: We should somehow take this into our own hands and provide OpenJDK for Windows also ourselves and get people to switch. Maybe even without the ASK Toolbar