If you’re using a PC, you may want to make sure your Java is up to date. Yesterday, Holly Stewart, of the Microsoft Malware Protection Center, highlighted the “unprecedented” number of Java exploits that have occurred in 2010. In her blog post, Stewart said the Java attacks have spiked from under 300,000 at the beginning of the year to well over 6 million, and growing. The main problems: Java is used ever more frequently, threats are hard to detect, and users aren’t upgrading to fix security holes.
“Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don’t think to update it,” writes Stewart. “On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it’s running?”
The majority of exploits center around three particular vulnerabilities, all of which have fixes available for download. But is the company doing enough to stop these threats? Brian Krebs, a security reporter, thinks Sun, and parent company Oracle, have been given a free pass.
“Adobe has taken some lumps over the past year for the number of critical vulnerabilities that hackers have found and exploited in its software,” said Krebs on his blog last week. “But for some reason, Java seems to get a pass from the tech and security press, even though Java flaws consistently are found to be the most useful for attackers who wield these automated exploit kits.”
Krebs also points out that Java’s updater only checks for updates once every two weeks, and often fails to detect if a new version is available.
On October 12, Oracle released a massive patch that fixes 29 bugs and security holes in Java. That patch can be downloaded here.
- AMD is working on fixes for the reported Ryzenfall, MasterKey vulnerabilities
- From pranks to nuclear sabotage, this is the history of malware
- Google found another critical security flaw in Microsoft Edge
- First Spectre, now BranchScope — another vulnerability in Intel processors
- Hackers could attack 1 million websites in a content management system flaw