Java Keeps Security Managers Up At Night

First, it was Microsoft Office. Then it was Adobe PDF. Now the bad guys have chosen a new favorite platform for attack: Java.

By the beginning of 2010, attacks on vulnerabilities in Java had surpassed attacks on PDF flaws, according to the Microsoft Malware Protection Center blog. In the third quarter, Microsoft witnessed more than 6 million exploit attempts against Java vulnerabilities -- and less than 100,000 against PDF flaws.

"Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it," writes Holly Stewart, senior program manager at Microsoft, in the blog. "On top of that, Java is a technology that runs in the background to make more visible components work."

Microsoft is not the only company to notice the increase. SecureWorks, a managed security firm that tracks malicious code and toolkits, has noted the spike in attacks on Java vulnerabilities as well.

"Java has always been a standard part of the exploit kits -- the kits generally have one, maybe two or three, Java exploits in there by default," says Don Jackson, director of threat intelligence for SecureWorks.

For home users, defending against attacks on Java is straightforward -- just uninstall all versions of Java, Jackson says. But merely disabling Java in the browser is not enough, he says, as at least one recent vulnerability does not need browser access to exploit Java.

Enterprisess have a more difficult problem because they frequently use Java to create critical internal applications. Moreover, many times companies need older -- and unpatched -- versions of Java to make their applications work, says Jackson, a former Java developer.

"The way that you write some of the lower level application logic is going to be very dependent on the version of Java you are running," Jackson says. When Java is upgraded, older versions are left on the user's desktop to support older programs. "It leaves those old versions on there by default [because] enterprises that do use Java apps ... are very much tied to developing according to the specific Java version."

Organizations should inventory the various versions of Java that are installed on their employees' systems, experts say. This inventory generally requires a vulnerability or patch management system because user-level access is needed on systems. In addition, Java is sometimes installed as part of a program, such as OpenOffice, making it more difficult to manually keep track of the different versions.

"A lot of applications come with their own Java Runtime Environment," Jackson says. "Figuring out which versions of Java you are actually running is not an easy task."

Next, companies should figure out what versions of Java they need to run, and whether they can run the latest version across all of their systems, says Mickey Boodaei, CEO of security software firm Trusteer.

"If they have good understanding of what they have, remove what they don't need, and keep good track of maintaining their software, then they will be in a better position," Boodaei says.

Boodaei recommends taking stock of the latest version of Java -- as well as all third-party browser plug-ins -- on a regular basis.

Companies should remove the versions of Java they can live without and, if possible, upgrade to use only the latest version, according to experts. Although updating applications to work with the latest version of Java can be costly, the security advantages are well worth the expense, says Gerhard Eschelbeck, CTO at security service provider Webroot.

"The reason attackers moved to Java is that organizations have been very diligent over the past few years in finding and fixing vulnerabilities in Office and Adobe," Eschelbeck says. "We now need to do the same on Java."

Keeping external Java code from entering the enterprise and whitelisting internal servers can also aid in plugging Java vulnerabilities, experts say.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.