“…an unprecedented wave of Java exploitation” – Holly Stewart, Microsoft.
Bottom line: many Java exploits go after vulnerabilities that have been patched. Since Java runs on a wide variety of platforms, this makes it a very serious vector. You should stay alert for the automatic Java updates. You also can check the Java site (see link below.)
The background hum of news about the increase in malware that uses Java vulnerabilities has now increased to a roar.
Today Daniel Wesemann wrote a very readable blog post on the SANS site about Java weaknesses.
Wesemann pointed to an October piece on Microsoft’s Malware Protection Center by Holly Stewart in which she writes: “What I discovered was that some of our exploit ‘malware’ families were telling a scary story – an unprecedented wave of Java exploitation.”
Wesemann described the method used by the recent “bpac” family of exploits. The Java vulnerability that it uses was patched in July he points out.
The infection usually happens as follows:
(1) User surfs to website that has been injected with the exploit
(3) The applet contains an exploit, here for CVE-2010-0840
(4) The applet is invoked with a parameter that tells it where to find the EXE
(5) If the exploit is successful, the EXE is downloaded and run”
And what is downloaded can be anything, like a back door that can steal your bank login information or turn your machine into a spam-pumping bot.
Here is Oracle’s description of the two:
* Java is an object oriented programming (OOP) language while Java Script is an OOP scripting language.
* They require different plug-ins.
How to check to see if your machine needs updates
To test your machine to see if the latest version of Java is installed, go to this test link with your browser: http://www.java.com/en/download/help/testvm.xml
If your Java installation is out of date, you will see something like this:
If you have the current version, you will see something like this: