Click Here to download the Newsletter in PDF format

Increase in Java Exploits

Java is a programming and computing platform widely used for stand-alone and web-based applications/applets, including utilities, games, and business applications.  The platform was first released by Sun Microsystems in 1995.   Many applications and websites require end-users to have Java installed, and the software is used extensively because of its flexibility.  Once a program has been created and compiled in Java, it will run on a variety of software and operating system platforms (such as Windows and Macs).

What are the potential cyber security concerns?

There has been a rapid increase in the amount of malware that attempts to exploit vulnerabilities in Java.  In the second quarter of 2010, there were an estimated 500,000 exploits, up from virtually zero a year before. Between Q2 2010 and the middle of Q3, that figure had increased to more than six million.
 
The attacks are based in part on older versions of Java.  When a newer version of Java is released and installed on a machine, the older version does not automatically get uninstalled.  This behavior was intended to provide an easy way to roll back to an older version in case of compatibility issues. However, there is an exploit code publically available on the Internet that hackers are using which detects whether previous versions of Java are installed on a user’s machine and exploits the vulnerabilities that exist in those versions.

What can I do to be safe?

It is important that users are installing the latest version of Java released by Oracle.  To confirm the correct version, visit the following site: http://www.java.com/en/download/installed.jsp.

Because older versions of Java are not automatically removed when newer versions are installed, it is recommended that users take the extra step of uninstalling the older versions if they are not needed.
 
Home users typically do not need the older versions of Java installed once they have upgraded their Java software and should remove the older versions of Java.

Additional Information

For more monthly cyber security newsletter tips visit: http://www.msisac.org/awareness/news/

Microsoft: http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
 
ZDNet: http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/microsoft-warns-of-java-exploit-rise-10020826/
 
Techworld: http://news.techworld.com/security/3246147/mac-users-hit-with-windows-style-koobface-trojan/

Cisco: http://blogs.cisco.com/security/java-exploits-another-example-of-tomorrows-threat-landscape-today-2/

SANS Internet Storm Center: http://isc.sans.edu/diary.html?storyid=9916