Attacks on Java Growing Fast

October 18, 2010

Brian Krebs, in a post on his Krebs on Security blog, warns that evidence gathered by Microsoft’s Malware Protection Center (and posted on their blog) indicates a rapid increase in the number of malware attacks directed against Java.   According to the Microsoft data, these attacks now number in the millions per quarter, and may have surpassed attacks against Adobe PDF software as the target of choice among the Bad Guys.  (Brian Krebs gave some revealing information about the inclusion of Java attacks in “exploit packs” for constructing malware in a post about a week ago.)

Java, like the Adobe products, is a cross-platform package that is widely installed on users’ machines.  The Java run-time software provides a “Java virtual machine” [JVM] that can interpret programs written in the Java language.  Although the system, designed originally by Sun Microsystems, now a part of Oracle, had security as an important design objective, it is very difficult to secure such a powerful tool completely.  And, despite the continuing attention paid to security fixes for Windows, for example, the reality is that the attackers have been finding juicier targets in applications software: Web browsers, the Adobe products, and Java.  As Holly Stewart of Microsoft wrote in their blog post,

Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don’t think to update it.  On top of that, Java is a technology that runs in the background to make more visible components work.  How do you know if you have Java installed or if it’s running?

Brian Krebs has suggested that users remove Java from their machines unless they have a specific requirement for it.  (Java is most widely used in enterprise environments.)   This is in some ways an extreme step; on the other hand, the one type of software guaranteed never to cause security problems is the type that’s not installed on the system.  If you decide to remove Java, I recommend testing things fairly thoroughly before entirely burning your bridges.

If you keep Java, you do need to be diligent about keeping up with patches.  Just recently, Oracle released a new Java version, 6 Update 22, that fixed 29 different security vulnerabilities.   As always, I will do my best to post alerts of these updates here.

Update Monday, 18 October, 23:00 EDT

Ars Technica also has an article on the Microsoft report.

Adobe Announces New Acrobat Products

October 18, 2010

Adobe Systems, the originators of the widely used Portable Document Format (now an ISO standard), and makers of the Adobe Acrobat and Reader software,  today announced a new family of products, including Adobe Reader X and Acrobat X.  This new series of software, which Adobe says will be available sometime in November, will incorporate numerous new features and capabilities; the Acrobat product, used to create PDF documents, will include improved integration capabilities with Microsoft’s SharePoint and other applications, to facilitate collaborative work.

For most users, though, the potentially more important news is that the new Reader X package will include the “Protected Mode” operation that Adobe first announced publicly in July of this year.  This will put all the processing of a PDF document in a “sandbox”, much as the Google Chrome or Mozilla Firefox browsers do with plugins.   This means that, if a PDF document contains an attempt to write to the user’s disk, or launch an external application, the request will be  intercepted and scrutinized before it is allowed to proceed.

Should Adobe Reader need to perform an action that is not permitted in the sandboxed environment, such as writing to the user’s temporary folder or launching an attachment inside a PDF file using an external application (e.g. Microsoft Word), those requests are funneled through a “broker process,” which has a strict set of policies for what is allowed and disallowed to prevent access to dangerous functionality.

This approach, assuming it is implemented correctly, has the potential to limit the use of attacks popular with malware developers.

This, in turn, should be welcome news for users.  Because it is a cross-platform application, and because it is so widely deployed, Adobe Reader has been a target of choice for the Bad Guys.  Making their job harder is a good thing for everyone else.

The ThreatPost blog from Kaspersky Labs also has an article on this announcement.

%d bloggers like this: