Microsoft issues warning over wave of Java attacks

Posted by Emma Woollacott

 Microsoft security expert has warned that Java-based malware attacks are on the rise.

Holly Stewart says that while working on the company's Security Intelligence Report she noticed an unprecedented amount of Java exploitation late last year.

"In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored," she says.

The spike, she says was caused by attacks on three volnerabilities - all of which are already patched. The problem, says Stewart, is that users simply aren't updating their machines.

"Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it," she says. 

"On top of that, Java is a technology that runs in the background to make more visible components work.  How do you know if you have Java installed or if it's running?"

And these attacks are going unnoticed, she says, because intrusion detection and prevention system companies find it tricky parsing Java code. It's not easy protecting documents, multimedia and JavaScript, and incorporating a Java interpreter into an IPS engine could have a massive effect on network performance. 

"So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light.  Call it Java-blindness," she says.