Forgot your password?
typodupeerror
Java Security

Massive Amount of Malware Targets Older Java Flaws 102

Posted by samzenpus
from the soft-target dept.
Trailrunner7 writes "It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years. Research from Microsoft shows that there has been a huge spike in malware targeting Java vulnerabilities since the third quarter of 2011, and much of the activity has centered on patched vulnerabilities in Java. Part of the reason for this phenomenon may be that attackers like vulnerabilities that are in multiple versions of Java, rather than just one specific version."
This discussion has been archived. No new comments can be posted.

Massive Amount of Malware Targets Older Java Flaws

Comments Filter:
  • Oracle Java: Bad (Score:5, Informative)

    by Anonymous Coward on Monday May 13, 2013 @05:25PM (#43714975)
    The problem we (as systems admins) have with Oracle Java is that they don't patch: they give you new versions. Each new version deprecates some things, adds new things, and breaks some things that worked before. So you end up with banking entities (looking at you Citigroup and others) that require you to use old, vulnerable versions in order to perform enterprise money transactions. You end up with the good vendors scrambling to get their code working, while the bad vendors just tell you that you have to run the old version of Java. It is so bad that we are working on a policy to keep new Java based (client) applications out and not allow the business units to bring them it. The damn thing is impossible to manage seeing as how you need the latest version but can't run it if you want your apps to work. Terrible software.
    • Re:Oracle Java: Bad (Score:5, Interesting)

      by allcoolnameswheretak (1102727) on Monday May 13, 2013 @06:11PM (#43715255)

      Actually, the one practically undisputed big selling point of Java is backwards compatibility. In fact, most experienced developers I know would cite that Java's stringent backwards compatibility policy is one of the things that has been holding the platform back, impeding progress. As an experienced Java developer myself, I would claim that 95% of Java applications should be upgradable to the most recent version without any issues at all.

      • "upgradable" was the wrong word. Most Java applications should run on the newest version of the VM without problems, right out of the box.

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          Good luck with that... having code that works in more than one VM is a big task. For example, am I stuck with a VM that has JCE, or do I have access to JSSE? Even then, a JVM on a Mac may not run code written by a JVM on Windows.

          Oracle needs to do a complete library enema of Java and really get write once, run everywhere going properly, just like how MS cleaned up house going from .NET 1.x to 2.0.

          If I want something that works across platforms, it would be JavaScript, or HTML5. No flash, no Java, no stup

      • by JazzXP (770338)
        Actually most experienced developers will tell you that while backwards compatibility is holding it back, even minor upgrades tend to break things (in particular since Oracle took over).
      • by Joce640k (829181)

        Actually, the one practically undisputed big selling point of Java is backwards compatibility.

        Was backwards compatibility.

        Before Oracle took over.

        Nowadays all you're backwards compatible with is the old exploits.

      • by NotBorg (829820)
        Then why do so many Java programs require specific JVM versions? They literally won't run on newer Javas.
    • Re: (Score:2, Interesting)

      by hairyfeet (841228)

      As someone who no longer has to deal with corporate (thank God, Allah, Zeus and the FSM) what pisses me off is after YEARS of decline, to the point that finding Java installed on a home user or SMB was as rare as hen's teeth that god damned game came out and fucking obliterated 10 years of declining java overnight. I am of course talking about Minecraft, or as i call it "the STD of casual gaming"

      The problem is...and i'm gonna get the Jfanboys screaming bloody fucking murder for daring to point this out, but

      • Re: (Score:3, Informative)

        by Sarten-X (1102295)

        It's not the programmers that matter. Programmers can write Java and compile it with any JDK they please, and it should run on any JRE, including OpenJDK [java.net] and its companion JRE project. I don't know how well they patch compared to Oracle, but it's an open-source replacement, which works pretty well in my experience.

        • by Gr8Apes (679165)

          Ugh, no.

          My last two forays with OpenJDK have led me to never ever use it again. It is not compatible.

          • Re:Oracle Java: Bad (Score:4, Interesting)

            by Sarten-X (1102295) on Monday May 13, 2013 @09:10PM (#43716349) Homepage
            In the interest of being pedantic, OpenJDK is the reference implementation. Oracle's JRE is the one that isn't compatible.
            • by Gr8Apes (679165)
              The mods must find it interesting that you're wrong, or that you find Oracle wrong? I don't know. But even basic code had challenges running on OpenJDK. Do a few multithreaded pools with some DB access and synchronization and whoopsie....
              • by hairyfeet (841228)

                That is why I mentioned Android and not OpenJDK, because I heard that like Gnash its pretty terrible. I don't know if it has gotten better but i tried both 2 years ago and even a basic java chat client fell down and went boom on OpenJDK, and I couldn't get Gnash to pay a 4 year old VP6 flash video I found.

                But the fact he got modded up just shows how much groupthink and reality don't go together because that is like saying its MSFT's fault that LO makes word salad out of even slightly complex docs. At the

                • by Gr8Apes (679165)

                  You noted that I didn't talk to Android, because that one works, whether Oracle likes it or not. OpenJDK just wasn't there, and probably won't be there for a while, especially in the areas of truly interesting functionality, such as NIO. (To me anyways, I write mostly server type code, for non mobile clients anyways).

                  I do take exception to your claim of Java being a massive security breach, because it's not. What is a screaming pile of cracker opium are the browser plugins. Yes, the security manager / sand

                  • by Sarten-X (1102295)

                    What's interesting is the pedantic point that right or wrong, OpenJDK's right. Sure, it's horribly broken, but by being the reference implementation, it's right by definition. This is indeed similar to Microsoft's mistreatment of the Office Open XML format. Upon release, the official spec was demonstrably not the format Office actually used. For making a program compatible with Microsoft Office, Microsoft's spec was nearly useless. For making a JRE compatible with Oracle's Java, Oracle's spec is nearly usel

                    • by Gr8Apes (679165)

                      OpenJDK's ... horribly broken, but by being the reference implementation, it's right by definition.

                      Seriously, do you even read what you write? it's broken, it's not the reference implementation, that would be Sun's, and now Oracle. There are other implementations that work - namely Apple, IBM, and BEA's renditions (also now acquired by Oracle). So there's no excuse for the horror that is OpenJDK, so the "spec is nearly useless" is provably false. You may not like it, it may not be the idealist's preferred outcome, but Java does work.

                      Google's Dalvik VM was never mentioned as a replacement, just as an i

                    • by Sarten-X (1102295)

                      Keep digging that hole deeper [oracle.com].

                      Historically, Sun always used the Sun JDK as the RI and made it available under the Binary Code License (BCL). This was very convenient for Sun since it meant that its product implementation was compatible by definition. However, it was also confusing since the Sun JDK contained quite a few features that were not part of the standard, such as the Java Plugin.

                  • by hairyfeet (841228)

                    IF they have a browser that runs in low rights mode and IF they have a good AV? Then sure java is fine, but you are dead wrong about it JUST being the plug in that is a threat.

                    At the end of the day you just can't change the fact that java has one of the most piss poor security records out there, it competes with flash and reader for most security risks per version. When you are looking at something with that poor a record frankly excuses are pointless, nothing will change the fact that bugs jumping out o

                    • by Gr8Apes (679165)

                      I am not worried. At the end of the day, MS has the absolute worst security record out there, by any definition you care to make. Remove the browser and run Java with known code, amazingly, it's quite secure and powers all sorts of web sites that deal with PCI, PPI, and more. Anything MS has to get an exception.

                    • by Gr8Apes (679165)

                      And you are still wrong. I didn't say squat about low right mode and good AV. Under windows, even windows 7, this means absolutely nothing thanks to a common and easily abused DLL injection mechanism and a completely retarded security model.

                      Considering that it's not really meant to be used in a browser (yeah, surprise, it's not), it's amazing that people still try to use it this way.

            • by Trogre (513942)

              You have got to be joking.

              Please tell us how you got on building and running something even as basic as MIDlets with OpenJDK.

      • Re: (Score:2, Interesting)

        by Gr8Apes (679165)
        Interesting that the systems I've worked on for more than 10 years, some still running, don't seem to have these security issues you're whining about. Is that, perhaps, because they're almost all wholly related to the browser plugins? Disable that and woah... you don't have security problems.
        • by hairyfeet (841228)

          Nope, sorry, WRONG. Sure you'd THINK it would be browser plugins but try loading up a VM and hitting some malware laden sites and you'll see they'll scan for old versions and if you aren't on a browser that runs in low rights mode, like say Firefox or any browser on XP, then they will do everything they can to trick the user into running a java app and fucking themselves. hell i saw one which downloaded a small 2Mb .jar and then had a webpage yes/no dialog box pop up which was actually how they were getting

          • by Gr8Apes (679165)

            You are so hellbent on a crusade you're sad.

            Read your post - Browser site browser browser download webpage......

            You do realize that the "jar" could also be an EXE, or some sort of script, or any numerous other entry points. It could even be a jar that contains an EXE that it then copies and executes. In any case, it's either a trojan (read that as you're a moron for running untrusted code) or a plugin. So, you're still wrong. Enjoy.

    • by mrmeval (662166)

      URL: is another one that forces us to have insecure crap on our system. We run a thin client which runs firefox which runs their crap.

      This of course removes all the sales drone drooling about fixing the lost work time problem of everyone standing in line doing nothing.

      The genius that chose these tards has departed the building for more pay or that's what we were told.

    • they don't patch: they give you new versions...require you to use old, vulnerable versions

      Exactly. And as such, we will be running Java 6 Update 16 (released in 2009) until at least 2014 on 5,000+ machines.

    • by cgomezr (1074699)

      If a Java application requires an older version of the platform, it's probably due to crappy coding (violating a precondition of some method, trusting undefined behaviour, using undocumented libraries that are not part of the standard API, etc.)

      I have been developing in Java for like 12 years and I have never had any issues with backward compatibility. The closest I have had to an issue was a change to how word wrapping works in Swing text components in 1.7, which made an application look a bit uglier in th

    • We've had that policy for years now and it's working quite well. Using .net for everything may be a bit of a pain at times, but it beats having to test every app twice a month when a new version of Java comes out.

  • by Anonymous Coward

    shows that microsoft is no longer the target of attacks, nor the target of use.

  • by techno-vampire (666512) on Monday May 13, 2013 @05:56PM (#43715185) Homepage
    People who still use older versions of Java probably aren't up to date on other patches or updates either, making them even easier to exploit or infect. Stupid is as stupid does, and that includes IT policies that don't allow machines to be kept current when it comes to security.
    • too true, You should be always up to date with ur applications not only because exploits but also performance in general
  • Wouldn't you be pretty stupid to target the current mostly patched version and ignore the FAR larger pool of older installs.

    This is only news if you don't have a clue

  • Read these words:

    Java.
    Malware.
    Security.
    Flaw.

    Now watch this interview (and maybe the blooper reel as well) [tomwoods.com]

    and then read these words once again:

    Java.
    Malware.
    Security.
    Flaw.

    I bet you are reading these in that zombie voice now.

  • by tstrunk (2562139) on Monday May 13, 2013 @06:44PM (#43715505)

    Some posts above mine, people blame Oracle Java. I blame the updater.

    My dad was hit by malware lately, which he got, because of an outdated Java on his system. He told me he always updated everything and blocked the install of everything else like toolbars. The last thing before he got the virus he remembered, was not allowing jusched.exe admin priviledges.

    I get it: jusched mean java update scheduler and everytime it's run it asks for admin priviledges. First of all:
    1.) This should be updated automatically by a package manager, hence I blame Microsoft
    2.) If 1.) is not the case, it should at least be called JAVA UPDATE PROCESS
    3.) It should display some kind of information before requesting Admin rights.

    Not many people outside of Slashdot know what jusched.exe is. Updating needs to be automated. Actually: We should somehow take this into our own hands and provide OpenJDK for Windows also ourselves and get people to switch. Maybe even without the ASK Toolbar

    • by Anonymous Coward

      Your 2 and 3 are pointless. Any virus could easily duplicate and display the same information

    • by Anonymous Coward

      No, updating should not be automated. The INSTALLER should ask whether or not you want it automatically updated, and if so, how/when, etc. Instead, we get the situation where (for example) I have to put up with jusched.exe's constant complaining that it has an update, but I don't have the privileges to install it, so I get nagged about it EVERY FRICKING TIME I login to a machine I have no control over (and therefore it isn't getting updated ever); or I get the situation where I do have admin rights, but I

    • Bingo. Why does a system tray notification require admin rights? Every other software installer I've ever downloaded tells you what it's going to install and only asks for admin rights when the installation process itself starts.
      • by tlhIngan (30335)

        Bingo. Why does a system tray notification require admin rights? Every other software installer I've ever downloaded tells you what it's going to install and only asks for admin rights when the installation process itself starts.

        Better yet, why isn't it downloading on behalf of the installer and letting the INSTALLER ask for admin rights?

        Half the time, it claims there's an update, and then it promptly fails to download it. After giving it admin. Why not attempt to download it ahead of time?

        Yes, ask for admi

    • by gravyface (592485)
      Take your pops to good ol' Ninite.com. Have him create an installer of all the apps he wishes to use and keep up-to-date, and either run it as a scheduled task (there's some command line switches to make this doable) or if he's like my Dad, he'll write it in the kitchen calendar and never miss running it himself manually. Once you build the installer, it's a run-and-wait thing; doesn't require any other steps, he can just keep running the same Ninite installer every week/month.
  • ...if you don't have a need for it or don't remember when you last used it, uninstall it.

  • Microsoft deflecting their own security flaws,

  • In Chrome, Firefox, and all Android browsers, just enable "click to play" for all plugins, instantly 99.9% of your vulnerabilities are gone.
    Bonuses: no flashing ads, fewer CPU or RAM chugging browser tabs, no random audio ads, better battery life.

    On the few sites where you want it on by default (youtube for example) it's just a two click "enable permanently" whitelist.

    WHY isn't this the default on all browsers by now?

  • by coder111 (912060) <coder&rrmail,com> on Tuesday May 14, 2013 @03:40AM (#43717853)
    How many times do I have to repeat this. ALMOST ALL THE VULNERABILITIES TARGET JAVA APPLETS THAT RUN WITH JAVA PLUGIN INSIDE BROWER. This is not java the language in general, this is not even the JVM, this is the stupid applet sandbox. And nobody uses applets for anything anymore, this is obsolete technology maintained for backwards compatibility.

    95% of Java today is running on the server-side. And there are very few security problems there.

    Given the amount of articles and FUD targeted at Java on Slashdot in recent months, they could have gotten this right by now. Editors, please be explicit about this being java APPLET/BROWSER PLUGIN vulnerability every time this comes up. This is not Java language vulnerability.

    --Codera
    • by gbjbaanb (229885)

      but you're wrong.

      The plugin is simply the vector that a great number of attacks use to infect your system, the flaws are still (mostly) in the JVM.

      Don't stick your head in the sand and say "blah blah no flaws in java", as you're doing everyone a huge disservice. There are bugs in the JRE that are exploited all the time (check the security fixes Oracle publishes to see what these are)., and understand that removing the plugin simply means the attackers have a harder, but not impossible, time to hack you.

  • I had to deal with a client who wanted a .Net application because "JAVA had major vulnerabilities". Who told him this stupidity ? A "specialist" in .Net applications ! WOW ! I had to spend 3 full days to explain to him what is Java, what is an applet, why nobody uses applet anymore except the old dinosaurs who don't want to die and why it is safer and cheaper and better for him to use Java servers and applications.

    Stop the bullshit ! Java is as safe as or even safer than any other technologies.

    And for
  • The reason Java is used so extensively in the enterprise is because managers want bells and whistles.
    We built a basic html app and one yahoo wanted rounded corners because they looked nice.
    We said "No" due to performance issues. Then he tried to get it in thru the standard backdoor of 'standardization' and we used our strategy of defensive paperwork--the first criteria for standardization was performance, not looks. We couldn't get the other departments to stop using Java to develop apps with rounded corn
    • And you should use this same argument against .Net and any other enterprise-level, we-can-do-it-all, kind of snake oil system presented by salesmen writing articles for airline magazines. If .NET was supposed to make things easier, then the ease ought to be measurable by now. Same with SAP or any other ERP system.

      One ring to rule them all is fiction, not fact.

nohup rm -fr /&

Working...