Microsoft: Java worse than PDF as security threat

Java should be considered a top software security threat, even more so than Adobe PDF files, according to Microsoft's announcement issued today.

Holly Stewart of the Microsoft Malware Protection Center (MMPC) noted that Adobe's software has tended to get the rap for security problems that require patching, but Java deserves perhaps more attention as a vector for attacks. She cited MMPC data from the third quarter showing that malware exploit attempts using Java (not to be confused with JavaScript) exceeded those using Adobe PDF files.

Exploit attempts leveraging Java peaked at more than six million in the third quarter. In contrast, exploit attempts tapping PDF files in that same time period were measured in the thousands, according to MMPC data.

The Java exploit attempts on Windows machines used known security issues for the most part for which Microsoft has already issued patches, according to Stewart. Those patches include CVE-2008-5353, CVE-2009-3867 and CVE-2010-0094, all of which are associated with the Java runtime environment. Microsoft particularly noted exploits associated with the CVE-2008-5353 bulletin as "a major problem."

The low profile for Java as a software security attack vector is due, in part, from the lower volume of attacks compared with malware families such as Zbot, according to Stewart. She also speculated that makers of intrusion prevention system software have trouble figuring out Java code themselves and so haven't sounded the alarm.

Stewart pointed to a post by security researcher Brian Krebs as one of the few outlets pointing to Java as a potential security problem. According to Krebs, the regular monthly Java patches delivered by Oracle through automatic updates aren't frequent enough to ward off potential attacks. He recommended increasing the frequency of Java update checks. Alternatively, for those not really needing Java, he recommended just removing the java runtime environment altogether.

Still, Java is popularly used. According to Oracle's website, "Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices."

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including Redmondmag.com, RCPmag.com and MCPmag.com.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.