I hate Java. Not the country or the beverage, but the programming language. Actually, not so much the language, but the way that it is used and distributed to PC and Mac users. A recent report from Microsoft stated that between one third and one half of the malware that they saw between 3Q 2010 and 2Q 2011 was written in Java. Java is a natural target for malware writers – it is cross platform and is installed on just about every computer used to connect to the Internet. Java is a force multiplier for the bad guys. Like any other software, the Java Runtime Environment (JRE), which allows Java applets to run on your computer, has its share of security flaws which are then exploited by attackers. Recently, one “pernicious” Java exploit which had only been available for purchase in the “computer underground” was made available in the Metasploit toolkit, which allows less skilled attackers to use it to craft their attacks.
If you are reading this on a computer that you own personally, stop right now and make sure that you are running the latest version of Java and other browser plugins on your system – Qualys has a nice site which does this for you automatically. Go ahead, I’ll wait…
In enterprises, upgrading Java is not as easy as it would seem. Many applications used by business were written with a particular version of Java in mind and they will stop working if you do the “right thing” and upgrade the JRE. As a result, many organizations are stuck with old and vulnerable versions of Java running on their systems.
There are solutions to this problem, involving installation of the new Java Runtime Engine along side the old one and then playing with the PATH or JAVA_HOME environment variables to tell Java which version of the JRE to invoke. I’m going to be doing some research on this and will post the results.
In the mean time, a plea to applet developers… please make your software compatible with the newer, safer versions of Java. Let’s close down malware writers’ access via this particular hole.