Microsoft: Java worse than PDF as security threat

Java should be considered a top software security threat, even more so than Adobe PDF files, according to Microsoft's announcement issued today.

Holly Stewart of the Microsoft Malware Protection Center (MMPC) noted that Adobe's software has tended to get the rap for security problems that require patching, but Java deserves perhaps more attention as a vector for attacks. She cited MMPC data from the third quarter showing that malware exploit attempts using Java (not to be confused with JavaScript) exceeded those using Adobe PDF files.

Exploit attempts leveraging Java peaked at more than six million in the third quarter. In contrast, exploit attempts tapping PDF files in that same time period were measured in the thousands, according to MMPC data.

The Java exploit attempts on Windows machines used known security issues for the most part for which Microsoft has already issued patches, according to Stewart. Those patches include CVE-2008-5353, CVE-2009-3867 and CVE-2010-0094, all of which are associated with the Java runtime environment. Microsoft particularly noted exploits associated with the CVE-2008-5353 bulletin as "a major problem."

The low profile for Java as a software security attack vector is due, in part, from the lower volume of attacks compared with malware families such as Zbot, according to Stewart. She also speculated that makers of intrusion prevention system software have trouble figuring out Java code themselves and so haven't sounded the alarm.

Stewart pointed to a post by security researcher Brian Krebs as one of the few outlets pointing to Java as a potential security problem. According to Krebs, the regular monthly Java patches delivered by Oracle through automatic updates aren't frequent enough to ward off potential attacks. He recommended increasing the frequency of Java update checks. Alternatively, for those not really needing Java, he recommended just removing the java runtime environment altogether.

Still, Java is popularly used. According to Oracle's website, "Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices."

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including Redmondmag.com, RCPmag.com and MCPmag.com.

Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.