News

Report: Java is the Most-Exploited Technology

Between a third and half of all software exploits were due to Java, according to Microsoft.

Oracle used to advertise its database software as unbreakable. The software giant would be wise, however, to not attach that word to its Java offerings.

Not only is Java crackable, it's the most crackable thing around.

According to a Microsoft Security Intelligence Report, released last month, the most common software exploit type in the first half of 2011 was associated with vulnerabilities in Oracle's Java Runtime Environment (JRE).

In the report, Microsoft found that between one-third and one-half of all exploits were due to JRE. Trendwise, the number of incidents continue to grow, quarter-over-quarter.

Tim Rains, a director at Microsoft's Trustworthy Computing Group, provided an explanation for why JRE continues to be a malware target in a Monday blog post. In it, he commented that the majority of Java vulnerabilities have already been addressed, but they persist because of a lack of diligence among users in updating their software.

"Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years," wrote Rains. "This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment."

Rains pointed out that the JRE exploit with the most traction has been a vulnerability that was disclosed to Oracle and fixed in March 2010. Although the flaw was addressed, attackers increased their exploitation of it tenfold between the last quarter of 2010 and the first quarter of 2011.

Brian Krebs, a security researcher and blogger, reiterated this point in a recent blog post. Attackers rely on users putting off their software updates, he noted. They quickly create and distribute commercial exploit packs.

"Users would need only to browse to a booby-trapped site with a version of Mozilla Firefox or Internet Explorerthat is running anything older than the latest Java package, and the site could silently install malware (according to a miscreant selling access to the exploit, it does not run reliably against Google Chrome for some reason)," Krebs wrote.

The solution? Make sure your software is up to date.

Rains points out that problems can arise when multiple different versions of JRE are running on the same network. He advocated taking time to make sure that all versions of JRE are up to date as a necessary precaution.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

comments powered by Disqus

Featured

  • New 'Visual Studio Hub' 1-Stop-Shop for GitHub Copilot Resources, More

    Unsurprisingly, GitHub Copilot resources are front-and-center in Microsoft's new Visual Studio Hub, a one-stop-shop for all things concerning your favorite IDE.

  • Mastering Blazor Authentication and Authorization

    At the Visual Studio Live! @ Microsoft HQ developer conference set for August, Rockford Lhotka will explain the ins and outs of authentication across Blazor Server, WebAssembly, and .NET MAUI Hybrid apps, and show how to use identity and claims to customize application behavior through fine-grained authorization.

  • Linear Support Vector Regression from Scratch Using C# with Evolutionary Training

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demonstration of the linear support vector regression (linear SVR) technique, where the goal is to predict a single numeric value. A linear SVR model uses an unusual error/loss function and cannot be trained using standard simple techniques, and so evolutionary optimization training is used.

  • Low-Code Report Says AI Will Enhance, Not Replace DIY Dev Tools

    Along with replacing software developers and possibly killing humanity, advanced AI is seen by many as a death knell for the do-it-yourself, low-code/no-code tooling industry, but a new report belies that notion.

  • Vibe Coding with Latest Visual Studio Preview

    Microsoft's latest Visual Studio preview facilitates "vibe coding," where developers mainly use GitHub Copilot AI to do all the programming in accordance with spoken or typed instructions.

Subscribe on YouTube