Java-based attacks remain at large, researchers say
Summary: Just how are Java attacks getting through?
A new Websense report suggests that approximately 94 percent of endpoints which run Oracle's Java are vulnerable to at least one exploit, and we are ignoring updates at our own peril.
According to security researchers at Websense, it's not just zero-day attacks which remain a persistent threat. Instead, Java exploits are now a popular tool for cybercriminals.
With so many vulnerabilities, keeping browsers up-to-date can become an issue — especially as Java has to be updated independently from our preferred browser, and a mobile, cross-browser workforce is difficult to manage securely. Keeping this in mind, the security team used their Advanced Classification Engine (ACE) and ThreatSeeker Network to both detect and analyze in real-time which versions of Java are currently in use across "tens of millions" of endpoints.
The researchers found that the latest version of Java, version 1.7.17, is only in use by a dismal five percent of users, and many versions are months or years out of date — just begging to be exploited.
Within the digital attack space, crimeware kits — which can be purchase for as little as $200 — often come supplied with Java-based exploits. The researcher's breakdown of vulnerabilities which have exploit kits available to attack them are thus:
The most widely-detected version of Java currently in use is version 1.6.16. Over 75 percent of browsers are using Java versions which are at least 6 months old, whereas nearly two-thirds are a year out of date, and 50 percent of Java versions in use are over two years behind the times in respect to Java vulnerabilities.
All in all, the researchers say that the vulnerable population of browsers is pegged at a staggering 93.77 percent.
Time to update, folks.
Charles Renert, vice president of Websense Security Labs told Security Week:
"Controls like patch management cannot eliminate risk exposure; they can only reduce risk to what you already know. Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kinds of vectors is on the rise.
Rather than looking to update a single object or signature at a single point in time, companies must review the entire threat lifecycle and examine multiple opportunities to disrupt attacks."
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Huge unnecessary vulnerability
Not so!
Fix it already!
It depends...
For me personally, I'm lucky enough to not need java 99% of the time.
I find I rarely need it for the sites I go to - none of the banking sites I use require it, nor do any other sites I use regularly - Flash on the other hand is a different story (though the banking sites I use don't use Flash either - just javascript - maybe some server side java pages, but they don't require java on my end).
For me, java in my browsers is something that is disabled more than 99% of the time - I just enable it on the odd occasion that I need it for something (maybe once or twice a year).
I've actually been disabling it in browsers for over 10 years now - and in that time I've found I rarely need it. My initial reason for disabling it wasn't for security, but to save on computer resources (specially on the slow PCs I had at that time) ;)
Of course, this is just me, and while I'm sure there's many others that only need java as little as I do, I'm also sure there are plenty of people that do need/use it regularly... the problem is most people (probably not readers of tech blogs) would have no idea whether they need it or not or whether they even have it installed.
For Windows users at least, doesn't it need to be installed manually? ie. doesn't a clean install of Windows have no java by default?
"When simple things like a mortgage or auto loan calculator requires java to run..." then I tend to feel their use of java for that purpose was somewhat overkill and not something I'd bother to enable java for ;)
Well, just because you think it not doesn't make it so...
When Homeland Security made that recommendation I uninstalled Java altogether and have not missed it a single day since! I do all my bank transactions/payments online, too. Still no need for Java. Oh, and SpankyFrost, you should be able to find loan calculators that don't need Java. You might look at Cnet.com in their download area. I bet you can find something to replace whatever you are using now.
Of course, you can disregard the whole issue with Java and continue to leave yourself open to a possible hack where all your financial data is stolen, along with your passwords, account numbers, etc. Go ahead...you do get choose. No one will spank you, SpankyFrost.
You do realize that Homeland Security is run by complete idiots, right?
For the non-paranoid, setup your browser (Chrome allows this) to "click-to-run" for plugins. Limiting yourself to sites which don't use plugins, and likely have less to offer, is a personal choice. That'll stop all those "accidental" site visit problems.
But, "...a possible hack where all your financial data is stolen" is more paranoia. Please, get real. If you're that afraid of technology, why are you even banking online?
Guess what? If the server you're using has been compromised, you're still screwed, and you likely will never even know it!
At least with a Java or other plugin based exploit, usually your PC will show some indication of a problem (and likely you'll address it before "OMGOMGOMG all my financial information has been stoled!!!!!")
That's not true...
As far as a loan calculator it is quite simple actually and can be done on the desktop with Run --> Calc and a standard equation, but aside from that there are a myriad of other methods to do such calculations and do not require Java; in fact I would question any site that would use such a complicated calculator for such a simple thing like calculating loans and interest.
The only thing Java is any good for is playing Minecraft, at least that is all I use it for anymore since I was tired of ads invading my screen when browsing, long load times for JEdit (>1 minute on logon) and with it resident in memory you would think file loading would be faster but it is still slower than notepad or even my Visual Studio editor. Point being it is a resource hog and acts as a Weed or a Virus more than a development language.
If it wasn't obvious I am not a proponent of Java, more like an exponent of efficiency.
Unfortunately..
I see this too
I was with you until...
This is ignorant trash. The "requirement" to run an outdated version of Java is the issue, not the platform itself. The VM is backwards compatible. In other words, a newer version of the JRE is pretty much ALWAYS better. The vendor requirements are idiotic ignorance, probably the result of idiot management.
Actually...
In the same boat...
The next move is to push management to spend.
The next move is to push management to spend.
Good luck with that.
I get hit with Java drive-by-downloads several times a day
Attention readers: Read the article.
1.7.15 and 1.6.41 are vulnerable.
1.7.17 and 1.6.43 (both released March 1, 2013) are updated and "safe".
(Besides that, you can try it with 1.7 and see if it works anyway.)
I thought 1.6 was going to be orphaned in Feb. 2013, so maybe 1.6.43 was the last update for 6; I don't know. But it is possible to use 1.6 today and be "up to date".
If you need 1.5 or lower, you have a problem.
If REQUIRED to use Java...
Android Uses Java Heavily...
Although it's not without its own issues
It's the web plugin
Java programs such as java apps use the same runtime, with the same vulnerability, but are unaffected because they are designed to work in a different way to the web plugin.
There has been a lot of confusion. You do not need to uninstall the jre and all your favourite java software, just the web plugin unless you really need it, then keep it up to date. Additionally, and I'm not sure where this has come from, but javascript is unrelated and is fine.
Javascript isn't "fine"
And in cases where JS is safer, it's because it simply has no option to implement a particular feature at all. (Or, it's because the browser takes the "credit" and the risk.)
If you want to be safe from IT security issues, get off the computer. Even a Linux or BSD PC is vulnerable if the server you're accessing was hacked. Buy a credit monitoring service!
I'd relax a little.
As you say all software has holes and the safest way to use a computer is unetworked.
However, if you do use the internet javascript currently poses no elevated risk. Certainly nothing in the context of this article and drive by attacks.
Be safe out there kids.
At the end of the day there is nothing inhereently safe about linux/ free/net/open bsd... They can all either be configured to be colanders or brick walls.