Fixing Java Vulnerabilities By Industry Collaboration

Malware operators are always looking for new ways to allow their programs to take control over additional machines. Their primary targets are Windows based machines, because they have the largest install base.

However, the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in 3rd party applications. These 3rd party vulnerabilities usually require user interaction (i.e. browse to a certain web page, open an e-mail, play a media file) to be successfully exploited, but malware operators have been able to get high conversion rates by using social engineering techniques and planting their attacks on trusted web sites.

While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash products, we are now seeing an increased attention on Java – Java attends to the basic characteristics: it is a widely installed, it has a set of well known vulnerabilities and it has been largely ignored by IT administrators for patching.

Data collected through this BrowserCheck application shows that over 80% of all visiting workstations have Java installed. Of these machines over 40% run a version of Java that has a critical vulnerability, making it the most vulnerable plug-in of all and giving the malware a excellent chance to install itself and control the targeted machine.

A possible solution is to include Java in an existing automated update process. It would be ideal if Oracle/Sun could collaborate with Microsoft to use the well established and robust WSUS update process to distribute fixes to Java. If this mechanism could then be extended to all major software vendors, the Internet would become increasingly safer to use for all of us.

As the CTO for Qualys, Wolfgang Kandek is responsible for product direction and all operational aspects of the QualysGuard platform and its infrastructure. Wolfgang has over 20 years of experience in developing and managing information systems. His focus has been on Unix-based server architectures and application delivery through the Internet. Prior to joining Qualys, Wolfgang was Director of Network Operations at the Online Music streaming company myplay.com and at iSyndicate, an Internet media syndication company. Earlier in his career, Wolfgang held a variety of technical positions at EDS, MCI and IBM. Wolfgang earned a Masters and a Bachelors degree in Computer Science from the Technical University of Darmstadt, Germany.