Want the best security ROI? Update your Java
It’s been said time and time again: if you want your Java to remain untainted, make sure you’re using the freshest version you can. This advice has been reiterated again by Microsoft’s Security Intelligence Report volume 16 (SIRv16), which councils that keeping Java bang up to date provides maximum ROI for the security of your IT systems. According to the report, old Java plug-ins especially are at risk of attacks from exploit toolkits, and it’s a snap to hack into web pages using outdated software.
An idiosyncrasy of these tricksy exploit kits is that new vulnerabilities are constantly integrated and resolved vulnerabilities are removed as fixes are released. While early Blackhole exploit kits tended to hone in on a wide range of vulnerable products, in recent years, these malicious tools have narrowed their focus to a few select targets. Writing on the Microsoft Security Blog, Tim Rains identifies five key targets:
In general, report notes an overarching increase in detected malware attacks worldwide: in 2013, 21.2% of computers studied by experts were affected. The fourth quarter of 2013 was particularly severe, with systems bombarded by a host of fiendish new malware tactics - including special variants of Sefnit, Rotbrow, and Brantall. The Sefnit-Bot gives attackers a variety of attack options, and is often used in connection with financial scamming through click hijacking or Bitcoin Mining.
Whilst there was an increase in deception tactics in 2013, certain activities actually fell. Attacks on Java vulnerabilities decreased from 15% to 10%, which Microsoft links to the arrest of a suspected exploit kit operator. There’s little respite for Java users however - in 2013, almost 75 percent of all attacks were by exploit kits targeting JRE vulnerabilities.
If all this talk of cyber criminals has put you on edge, remember, attacks on Java server applications are in fact still relatively rare. But, if you can, it pays to use the most recent versions of Java (easier said than done in some cases) - and, as Microsoft reiterates, check whether you need Java in the browser at all.