News

Microsoft: Java Worse Than PDF as Security Threat

Java should be considered a top software security threat, even more so than Adobe PDF files, according to Microsoft's announcement issued today.

Holly Stewart of the Microsoft Malware Protection Center (MMPC) noted that Adobe's software has tended to get the rap for security problems that require patching, but Java deserves perhaps more attention as a vector for attacks. She cited MMPC data from the third quarter showing that malware exploit attempts using Java (not to be confused with JavaScript) exceeded those using Adobe PDF files.

Exploit attempts leveraging Java peaked at more than six million in the third quarter. In contrast, exploit attempts tapping PDF files in that same time period were measured in the thousands, according to MMPC data.

The Java exploit attempts on Windows machines used known security issues for the most part for which Microsoft has already issued patches, according to Stewart. Those patches include CVE-2008-5353, CVE-2009-3867 and CVE-2010-0094, all of which are associated with the Java runtime environment. Microsoft particularly noted exploits associated with the CVE-2008-5353 bulletin as "a major problem."

The low profile for Java as a software security attack vector is due, in part, from the lower volume of attacks compared with malware families such as Zbot, according to Stewart. She also speculated that makers of intrusion prevention system software have trouble figuring out Java code themselves and so haven't sounded the alarm.

Stewart pointed to a post by security researcher Brian Krebs as one of the few outlets pointing to Java as a potential security problem. According to Krebs, the regular monthly Java patches delivered by Oracle through automatic updates aren't frequent enough to ward off potential attacks. He recommended increasing the frequency of Java update checks. Alternatively, for those not really needing Java, he recommended just removing the java runtime environment altogether.

Still, Java is popularly used. According to Oracle's Web site, "Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices."

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • New Office App Coming to Windows 10 Users

    Microsoft is delivering a new Office app for Windows 10 consumer and business users over the new few weeks, according to a Wednesday announcement.

  • Microsoft Warns .NET Core 1.0 and 1.1 Losing Support in June

    Microsoft gave notice this week that .NET Core 1.0 and 1.1 will fall out of support on June 27, 2019.

  • Microsoft Publishes Windows Deadlines on Upgrading to SHA-2

    Microsoft on Friday described its 2019 timeline for when it will start distrusting Secure Hash Algorithm-1 (SHA-1) in supported Windows systems, as well as in the Windows Server Update Services 3.0 Service Pack 2 management product.

  • Performing a Storage Refresh on Windows Server 2016, Part 1

    To spruce up some aging lab hardware, Brien decided to make the jump to all-flash storage. Here's a walk-through of the first half of the process.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.