Microsoft reports 'unprecedented wave' of Java malware exploits

Microsoft reports 'unprecedented wave' of Java malware exploits

Summary: According to data from Microsoft's malware protection center, there has been an "unprecedented wave" of exploits against vulnerabilities in Oracle Sun's Java software in 2010.

SHARE:

According to data from Microsoft's malware protection center, there has been an "unprecedented wave" of exploits against vulnerabilities in Oracle Sun's Java software in 2010.

Microsoft's Holly Stewart notes that there has been a dramatic spike in Java attacks in the third quarter this year, mostly against these three vulnerabilities:

CVE
Attacks
Computers
Description
CVE-2008-5353
3,560,669
1,196,480
A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867

2,638,311

1,119,191
Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094

213,502

173,123
Another deserialization issue, very similar to CVE-2008-5353.
"The first two, in particular, have gone from hundreds of thousands per quarter to millions," Stewart said.

The startling data comes on the heels on last week's massive Java patch that covered 29 critical security vulnerabilities.

follow Ryan Naraine on twitter

According to Oracle, 28 of these vulnerabilities could be remotely exploitable without authentication (over a network without the need for a username and password). The patches are available for Windows, Linux and Solaris users.

According to Oracle’s advisory,  15 of the 29 vulnerabilities carry the maximum 10.0 CVSS severity rating.

Topics: Malware, Microsoft, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

56 comments
Log in or register to join the discussion
  • That is "Java and PDF", not "Java"

    So we have <b>cheap, low class trick in the headline</b>.
    DDERSSS
    • Curious...

      @denisrs

      What was so cheap about leaving PDF out of the headline? Look at the colors representing PDF (dark) and Java (light) on the graph. It couldn't be any more clear that the news here pertains to the Java data -- not the PDF data.
      StephenChapman
    • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

      @denisrs

      The cheap, low class trick is the bloated, slow JRE with its updates every week to fix bugs.

      Unless, like me, you actually downloaded this rubbish or it came installed on one of the fringe OSs, you don't have anything to worry about because it was dumped from Windows long ago.

      Java, just say no.
      tonymcs1
      • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

        @tonymcs@...
        >>Java, just say no.

        Say no to Eclipse and NetBeans? pffft. Yeah right.
        Duke E Love
    • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

      @denisrs maybe you have an issue reading graphs. Do you see where the java graph goes? Notice the PDF graph? Does it spike into the millions? No.
      Jimster480
  • just M$ FUD!

    and only windoze has been compromised!
    Other OSes are doing just fine.
    M$ should change the plate and fix its own mess!
    Linux Geek
    • WRONG!

      @Linux Geek

      Both Mac OS X AND Linux are vulnerable. Learn to read!
      Joe_Raby
      • wrong. no antivirus here

        @Joe_Raby
        no antimalware, no anti nothing, in the meantime just today a client asked me to recommend him an antivirus for his company. After a quick research I found hundreds of products dedicated to protect Windows. Why so many?
        theo_durcan
      • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

        @theo_durcan:

        Software has to be classified as a "virus" for antivirus to detect it. Ask any security researcher what kind of attacks Linux clients get, and it's always remote code execution used to steal private data, usually on enterprise systems. Oh, and DoS attacks on web servers. Maybe you've just forgotten about all those high-level attacks?

        So tell me, what kind of protection do you have against security holes, aside from patching? Windows has antimalware software as an extra layer, while Linux doesn't, and you want to argue that Linux is better because of that?
        Joe_Raby
      • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

        theo_durcan
        Pretty simple. There's a market for them and there's a market for AV software, because with 90% (or more) of the Desktops in the world, attacking Windows makes good business sense (if you write malware).
        notsofast
      • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

        @Joe_Raby

        Not ALWAYS! Sometimes, scanners are able to 'heuristically' tell when something is dangerous by it's behavior: such as trying to DELETE A WAD OF FILES in a directory or otherwise.
        Lerianis10
    • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

      @Linux Geek

      According to Oracle, 28 of these vulnerabilities could be remotely exploitable without authentication (over a network without the need for a username and password). The patches are available for Windows, Linux and Solaris users.


      Wow, you're so biased that you didn't even bother to read the article. Nice.
      Heatlesssun
      • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

        @Heatlesssun
        Well, not quite. JAVA applets have no root privs and on a backed up system can do no damage at all and only minor damage on a system that is not backed up.
        Learn to think.
        kirovs
      • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

        @kirovs

        Huh? Learn to read, I simply quoted the article and in spite of what you're saying the vulnerbilities in still exist *NIX no matter how much damage they may or may not be able to cause.
        Heatlesssun
    • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

      @Linux Geek - I agree with you. I mean, how could Java be so flawed as to have this many vuln's exploited so quickly? It's OSS, right, so EVERY OSS hacker EVERYWHERE has read and fully understood EVER line of Java's source code. Right?

      Right.
      De-Void
      • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

        @De-Void actually your wrong, its not open source, its quasi open source, this is why Oracle is suing google for using java in Android, they let out some of the code, but not all of it. and I dont know why everyone seems so surprised every time there is a exploit found in some piece of software, be it M$, or Mac or *nix, nothing is perfect ever, if it was then why would we need to upgrade? what matters is how long it takes to mitigate the threat, either by disabling something or releasing a patch. and for every fix we make, another hole is discovered.. But I do have issues with companies who let a severe exploit go for several months saying they will fix it in next release, *Glares at Adobe*
        nickdangerthirdi
    • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

      @Linux Geek Your a idiot. All OS's are susceptible to Java/PDF exploits. And Java issues are also not MS's Fault. And Windows has less exploits than ever. Its extremely difficult to exploit windows these days, the user has to OK things for you to successfully exploit things.
      Jimster480
    • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

      @Linux Geek

      You, like the makers of your desktop of choice, are clueless.
      Duke E Love
  • All I have to say is "PROVEN!"

    One common Java applet that came up on no less than *5* computers for service TODAY(!) is some program called "OpenConnection", sometimes titled "OpenStream" or similar naming schemes. It's a Java applet that is described as a "open-source video and audio streaming plugin". It even installs Start Menu shortcuts and a removal program that deletes the shortcuts but leaves the app in the Java folder. [b]THIS PROGRAM IS A TROJAN DOWNLOADER[/b], so don't let your kids this on their system.

    Websites are starting to offer this as a "media plugin", and it's spreading via Google Ads now. All it does is open up numerous other Java exploits to trojan plugins.

    This is spreading FAST, so get your Java updates immediately, or just remove Java altogether and eliminate the possibility of being exploited by these!
    Joe_Raby
  • RE: Microsoft reports 'unprecedented wave' of Java malware exploits

    The whole thing probably has to do with FSF-backed l33t hax0rz sniping at Oracle after the whole debacle that gave birth to LibreOffice/SkySQL.
    Stormbringer_57th