Java the preferred point of entry for online criminals

Java the preferred point of entry for online criminals

Summary: It used to be Adobe and maliciously crafted Word, Excel, and PowerPoint documents, but Java now takes the cake compared to those methods, according to Cisco.

TOPICS: Security, Cisco, Malware

Online criminals and scammers are having much more luck breaking into others' computers with Java rather than the usual desktop application exploits, according to findings from Cisco's 2014 Annual Security Report.

According to its network security subsidiary Sourcefire, which it acquired in July last year, when looking at web exploits, the key culprit 91 percent of the time is Java.

However, Sourcefire has restricted its range of web exploits to Java; Microsoft Word, Excel, and PowerPoint; and Adobe Reader.

Cisco's own Threat Research Analysis and Communications/Security Intelligence Operations (TRAC/SIO) group, rather than Sourcefire, shows a different opinion within the same report.

TRAC/SIO found that Java malware encounters peaked at just 14 percent in April, compared to "all web malware".

Nevertheless, a large percentage of businesses are leaving themselves at risk. Looking into the companies running its web security services offering, Cisco said that 76 percent of these organisations are running Java 6, which is no longer supported by Oracle.

Both Cisco's and Sourcefire's findings point to an increased focus on Java rather than Adobe. In 2011, M86 Security Labs' ranking of exploits saw Java receive two mentions on its top 15 list. The top places were occupied by Microsoft Internet Explorer and Office, as well as a large number of Adobe Reader and Acrobat vulnerabilities.

There have been a huge number of flaws in Java that have required Oracle to act, but the focus on Java is corroborated by the findings of AV-Test. This month, the organisation revealed that between 2000 and now, Java has contributed the most to breaches.

Topics: Security, Cisco, Malware

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Java applets

    Is this Java applets or all Java applications.
    • My guess would be the Java browser plugin.

      Both of the Java vulnerabilities in the "top 15" list mentioned in the article are via the browser.
  • On the horizon... Google Chrome and other Google software

    Given the pervasive deceptive installation practices its the next Trojan Horse of choice and it's already started.

    Yeah yeah it's secure... that's what the Java hucksters claimed when they started... Now they're the biggest hole. Try as they might Google will fall... just remove it and avoid the next wave of malware. That's the same recommendation security experts give for Java and its darn good advise.
  • Java applets, Active-X....

    Any runtime plugin for the browser is a vector for an attack.