How Safe is YOUR Java?
2010 Sees 'unprecedented wave of Java exploitation.'
Holly Stewart, a member of the Microsoft Malware Protection Centre has published a report claiming this year has seen "an unprecedented wave of Java exploitation." By the beginning of 2010, the number of attacks on vulnerabilities within Java code had "well surpassed" the total number of Adobe-related exploits monitored by the Centre.
She found a spike in the third quarter of 2010, which mainly revolved around three vulnerabilities (CVE-2008-5353; CVE-2009-3867; and CVE-2010-0094.) Patches are available for all three of these vulnerabilities. In Stewart's opinion, this wave of attacks has been a long time coming, as the number of vulnerabilities in Java have been "increasing dramatically" since 2008. She cites figures which show the vulnerabilities in Java leaping a whopping 264% from 2007 to 2008.
But, if patches for the three vulnerabilities primarily responsible for the 2010 spike are available, then why is Java still the focus of so many attacks? According to Holly Stewart, it's the nature of the technology and our attitude to it that's at fault. Java runs in the background, and so users are less likely to monitor and update it. If you're concerned you might be running an outdated, or un-patched version of Java, then it might be time to get familiar with Oracle's Critical Patch Updates and Security Alerts page.