Jump to content
sicilianul

Security of Java takes a dangerous turn for the worse, experts say

Recommended Posts

Posted

Security of Java takes a dangerous turn for the worse, experts say

Beware of increasingly advanced exploits targeting flaws that will never be fixed.

by Dan Goodin - Sept 12 2013, 3:35am GTBDT

The security of Oracle's Java software framework, installed on some three billion devices worldwide, is taking a turn for the worse, thanks to an uptick in attacks targeting vulnerabilities that will never be patched and increasingly sophisticated exploits, security researchers said.

The most visible sign of deterioration is in-the-wild attacks exploiting unpatched vulnerabilities in Java version 6, Christopher Budd, threat communications manager at antivirus provider Trend Micro, wrote in a blog post published Tuesday. The version, which Oracle stopped supporting in February, is still used by about half of the Java user base, he said. Malware developers have responded by reverse engineering security patches issued for Java 7 and using the insights to craft exploits for the older version. Because Java 6 is no longer supported, those same flaws will never be fixed.

"This is a large pool of vulnerable users who will never be protected with security fixes and so [they're] viable targets for attack," Budd said.

He went on to cite the recent bundling of the JAVA_EXPLOIT.ABC trojan in the Neutrino Exploit Kit, a software tool available on the Internet that streamlines the development of exploits. JAVA_EXPLOIT.ABC exploits the CVE-2013-2463 vulnerability that Oracle fixed in Java 7 two months ago.

The other dynamic causing the decline in Java security is the increase in ever-more-sophisticated exploits that target a much lower level of the Oracle software platform, known as the Java native layer. Trend Micro researchers described the maturing of this technique in a blog post a couple weeks ago.

Budd recommended people make it a priority to update to version 7, an undertaking that will be painful for businesses with custom-written apps that work only on the older Java version. Those who can't update should take steps to mitigate the damage that can be done. He also draws parallels to the retirement of Windows XP that Microsoft has scheduled for April.

Source: Security of Java takes a dangerous turn for the worse, experts say | Ars Technica

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...