Users neglect Java patches, leave attack door wide open

Security expert suggests Oracle distribute Java fixes on Microsoft's update service

Oracle should piggyback on Microsoft's update service to boost users' chances of running a patched version of Java, a security expert said today.

"The solution would be to get rid of all these different update engines, and instead for companies like Oracle to collaborate with Microsoft to use Windows Update or WSUS to distribute fixes for Java," said Wolfgang Kandek, CTO at Qualys.

WSUS, or Windows Server Update Services, is the business-grade update mechanism that most companies rely on to distribute Windows and other Microsoft software patches.

According to data mined from Qualys' free BrowserCheck service, eight in 10 Windows PCs run one or more copies of Java, making Oracle's software just as popular as Adobe's Reader but behind Flash.

Of the systems with Java, more than 40 per cent were running an outdated version that contained at least one critical vulnerability, Kandek said. That puts Java at the top of the unpatched list. Even Adobe's Reader and Flash, which have gained reputations as criminals' preferred targets , are more likely to be up-to-date.

"Malware operators are always looking for new ways to allow their programs to take control over machines," said Kandek. "But the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in third-party applications."

Kandek's spotlight on Java was no surprise: Earlier this week, Microsoft 's anti-malware team said an "unprecedented wave" of attacks was exploiting long-patched Java bugs. More than 3.5 million of the more than 6 million attacks in the first nine months of 2010, for instance, tried to exploit a Java Runtime Environment (JRE) flaw patched nearly two years ago.

"While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash, we're now seeing an increased attention on Java," Kandek said. Oracle 's software meets hackers' requirements: It's widely installed, it contains a number of well-known bugs and it's largely been ignored by IT staffers responsible for patching their organization's PCs.

While he acknowledged that the idea that Microsoft would distribute Java updates was a long shot, he thought it was worth considering. "The benefit is so big that if they could work together, it would result in a more robust [Windows] client," Kandek said.

Java has an update service of its own, but it's been criticized for being slow to notify users, and for allowing multiple editions to exist on a PC, leaving users vulnerable even if they've recently patched.

There is a precedent for Kandek's proposal. Apple , for example, distributes Java security patches to Mac OS X users via its own update process. The problem there, however, is that Apple has historically patched Java on the Mac months after the fixes were posted by Sun, Java's maker and the company Oracle acquired earlier this year.

Qualys' BrowserCheck scans Windows and Mac machines for vulnerable browsers or plug-ins, including Flash, Java, Apple's QuickTime and Reader. Danish vulnerability tracker Secunia offers a similar tool, dubbed Personal Software Inspector , that checks a much larger number of plug-ins and programs for outdated versions.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftsecurityWindowssoftwareMalware and Vulnerabilitiesoperating systemsOracle

More about Adobe SystemsAppleMicrosoftOraclePSIQualysSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts