Microsoft reports 'unprecedented wave' of Java malware exploits
Summary: According to data from Microsoft's malware protection center, there has been an "unprecedented wave" of exploits against vulnerabilities in Oracle Sun's Java software in 2010.
According to data from Microsoft's malware protection center, there has been an "unprecedented wave" of exploits against vulnerabilities in Oracle Sun's Java software in 2010.
Microsoft's Holly Stewart notes that there has been a dramatic spike in Java attacks in the third quarter this year, mostly against these three vulnerabilities:
|
CVE |
Attacks |
Computers |
Description |
|
CVE-2008-5353 |
3,560,669 |
1,196,480 |
A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X. |
|
CVE-2009-3867 |
2,638,311 |
1,119,191 |
Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments. |
|
CVE-2010-0094 |
213,502 |
173,123 |
Another deserialization issue, very similar to CVE-2008-5353. |
The startling data comes on the heels on last week's massive Java patch that covered 29 critical security vulnerabilities.
According to Oracle, 28 of these vulnerabilities could be remotely exploitable without authentication (over a network without the need for a username and password). The patches are available for Windows, Linux and Solaris users.
According to Oracle’s advisory, 15 of the 29 vulnerabilities carry the maximum 10.0 CVSS severity rating.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
That is "Java and PDF", not "Java"
Curious...
What was so cheap about leaving PDF out of the headline? Look at the colors representing PDF (dark) and Java (light) on the graph. It couldn't be any more clear that the news here pertains to the Java data -- not the PDF data.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
The cheap, low class trick is the bloated, slow JRE with its updates every week to fix bugs.
Unless, like me, you actually downloaded this rubbish or it came installed on one of the fringe OSs, you don't have anything to worry about because it was dumped from Windows long ago.
Java, just say no.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
>>Java, just say no.
Say no to Eclipse and NetBeans? pffft. Yeah right.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
just M$ FUD!
Other OSes are doing just fine.
M$ should change the plate and fix its own mess!
WRONG!
Both Mac OS X AND Linux are vulnerable. Learn to read!
wrong. no antivirus here
no antimalware, no anti nothing, in the meantime just today a client asked me to recommend him an antivirus for his company. After a quick research I found hundreds of products dedicated to protect Windows. Why so many?
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Software has to be classified as a "virus" for antivirus to detect it. Ask any security researcher what kind of attacks Linux clients get, and it's always remote code execution used to steal private data, usually on enterprise systems. Oh, and DoS attacks on web servers. Maybe you've just forgotten about all those high-level attacks?
So tell me, what kind of protection do you have against security holes, aside from patching? Windows has antimalware software as an extra layer, while Linux doesn't, and you want to argue that Linux is better because of that?
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Pretty simple. There's a market for them and there's a market for AV software, because with 90% (or more) of the Desktops in the world, attacking Windows makes good business sense (if you write malware).
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Not ALWAYS! Sometimes, scanners are able to 'heuristically' tell when something is dangerous by it's behavior: such as trying to DELETE A WAD OF FILES in a directory or otherwise.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
According to Oracle, 28 of these vulnerabilities could be remotely exploitable without authentication (over a network without the need for a username and password). The patches are available for Windows, Linux and Solaris users.
Wow, you're so biased that you didn't even bother to read the article. Nice.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Well, not quite. JAVA applets have no root privs and on a backed up system can do no damage at all and only minor damage on a system that is not backed up.
Learn to think.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Huh? Learn to read, I simply quoted the article and in spite of what you're saying the vulnerbilities in still exist *NIX no matter how much damage they may or may not be able to cause.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Right.
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
You, like the makers of your desktop of choice, are clueless.
All I have to say is "PROVEN!"
Websites are starting to offer this as a "media plugin", and it's spreading via Google Ads now. All it does is open up numerous other Java exploits to trojan plugins.
This is spreading FAST, so get your Java updates immediately, or just remove Java altogether and eliminate the possibility of being exploited by these!
RE: Microsoft reports 'unprecedented wave' of Java malware exploits