Microsoft warns of Java exploit rise

There has been a rapid expansion in the amount of malware that attempts to exploit Java code, according to Microsoft.In the second quarter of 2010, Microsoft Malware Protection Center had detected under half a million exploits with its antimalware technology, from virtually zero a year before.

There has been a rapid expansion in the amount of malware that attempts to exploit Java code, according to Microsoft.

In the second quarter of 2010, Microsoft Malware Protection Center had detected under half a million exploits with its antimalware technology, from virtually zero a year before. Between Q2 2010 and the middle of Q3, that figure had increased to over six million.

"By the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored," said Microsoft researcher Holly Stewart in a blog post.

Security vendor F-Secure told ZDNet UK on Tuesday that it had seen thousands of Java exploits, and that this could present a security problem. Versions of Java over a year old did not uninstall previous versions when installed, said F-Secure security advisor Sean Sullivan.

Malware kits are available online which have exploits for older versions of Java, said Sullivan.

"It's a matter of exploit kits plugging into old vulnerabilities and people not realising they have old versions of Java installed," said Sullivan.

Security compliance company Qualys said in a statement on Tuesday that IT managers often did not patch Java.

"We are now seeing an increased attention on Java," said Qualys chief technology officer Wolfgang Kandek. "Java attends to the basic characteristics: it is a widely installed, it has a set of well known vulnerabilities and it has been largely ignored by IT administrators for patching."

Kandek said that Oracle, which is now ultimately responsible for Java after its Sun acquisition, should collaborate with competitor Microsoft to automatically distribute Java patches.

"It would be ideal if Oracle/Sun could collaborate with Microsoft to use the well established and robust WSUS update process to distribute fixes to Java," said Kandek. "If this mechanism could then be extended to all major software vendors, the internet would become increasingly safer to use for all of us."

Oracle had not responded to a request for comment at the time of writing.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All