Brian Krebs, in a post on his Krebs on Security blog, warns that evidence gathered by Microsoft’s Malware Protection Center (and posted on their blog) indicates a rapid increase in the number of malware attacks directed against Java. According to the Microsoft data, these attacks now number in the millions per quarter, and may have surpassed attacks against Adobe PDF software as the target of choice among the Bad Guys. (Brian Krebs gave some revealing information about the inclusion of Java attacks in “exploit packs” for constructing malware in a post about a week ago.)
Java, like the Adobe products, is a cross-platform package that is widely installed on users’ machines. The Java run-time software provides a “Java virtual machine” [JVM] that can interpret programs written in the Java language. Although the system, designed originally by Sun Microsystems, now a part of Oracle, had security as an important design objective, it is very difficult to secure such a powerful tool completely. And, despite the continuing attention paid to security fixes for Windows, for example, the reality is that the attackers have been finding juicier targets in applications software: Web browsers, the Adobe products, and Java. As Holly Stewart of Microsoft wrote in their blog post,
Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don’t think to update it. On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it’s running?
Brian Krebs has suggested that users remove Java from their machines unless they have a specific requirement for it. (Java is most widely used in enterprise environments.) This is in some ways an extreme step; on the other hand, the one type of software guaranteed never to cause security problems is the type that’s not installed on the system. If you decide to remove Java, I recommend testing things fairly thoroughly before entirely burning your bridges.
If you keep Java, you do need to be diligent about keeping up with patches. Just recently, Oracle released a new Java version, 6 Update 22, that fixed 29 different security vulnerabilities. As always, I will do my best to post alerts of these updates here.
Update Monday, 18 October, 23:00 EDT
Ars Technica also has an article on the Microsoft report.