My last posting addressed the issue of whether the upside for having Java installed on your computer outweighed the downside. It's not a cut and dried decision, but as a rule of thumb, anyone who thinks Java is a type of coffee probably shouldn't have it on their computer.
The main point, that bad guys are increasingly using bugs in old versions of Java to install malicious software, was further driven home today by Microsoft's Holly Stewart, in a posting on their Malware Protection Center blog. As she described it, the latest stats from Microsoft turned up "an unprecedented wave of Java exploitation."
The bugs in Java that Microsoft found were most frequently exploited, had all been patched long ago. Clearly, Windows users are not applying bug fixes to installed copies of Java (technically the JRE, Java Runtime Environment).
This is no surprise to Secunia. According to their Half Year Report 2010
The number of vendors who are deploying and promoting effective updating mechanisms is quite limited ... the overall picture of all vendors, including most of the more popular vendors, is that updating of the programs on end-user PCs is largely neglected and left to the end-user. It appears that most vendors do not take significant steps to secure their users and customers before active exploitation takes place on a larger scale where it starts to threaten the overall reputation of the business.
... typical users are either unaware, or simply overwhelmed by the complexity and frequency of the actions required to keep ... programs ... secure. From an attackers perspective, targeting 3rd party programs proves to be a rewarding path, and will probably remain so for an extended period of time ...
Too bad Oracle and Microsoft can't see fit to include Java updates along with Windows updates. In the Linux world, a single software update mechanism is the rule, but in the Windows world, it is unimaginable.
Google already embeds Flash and a PDF viewer with their Chrome browser, perhaps, in the future, they will add Java to their roster.
In the same report, Secunia found Java installed on 89% of the computers they analyzed. No wonder the bad guys attack it.
Still another reason for bad guys to use Java as their delivery mechanism is that Java applets are designed to run in a web page. View a web page, get infected. The bad guys don't need to trick victims into opening an attachment or installing a phony codec.
I have seen Java exploited first hand. As fate would have it, someone gave me an infected Windows XP computer to clean up the day after I wrote my previous blog posting. One of the malicious programs infecting the machine, according to ESET's online virus scan, was the "Java/TrojanDownloader.Agent.NBU trojan."
That, and another "threat" (an ESET term) were found in the folder
C:\Documents and Settings\userid\Application Data\Sun\Java\Deployment\cache\6.0\
The computer had, not just one, but two, old versions of Java installed (an old edition of version 5 along with an one of version 6).
Java can self-update, but the default is to check for updates only once a month. While you can change this to daily or weekly, I don't get a warm fuzzy feeling from it.
On a Windows XP machine, where the latest version of Java (version 6 update 22) had been cleanly installed (that is, older versions of Java were manually un-installed first) I found that it was checking for updates once a month, on day zero!
On top of that, the Java program that checks for updates (jusched.exe) was no longer running at system startup (I manually changed this), so it was wrong about the automatic checking taking place at all.
If Java is installed, be aware that anything older than version 6 update 22 is vulnerable. You can check the installed version of Java at my JavaTester.org site.
Mac users that need Java are at a disadvantage here. When it comes to Windows and Linux, Oracle is the keeper of the flame and releases new versions of Java. For reasons that I don't understand, only Apple issues updates to Java for the Mac and they have historically lagged well behind Oracle.
Update: On October 20, 2010 Apple released a new version of Java for OS X 10.6 that brings it up the same level (Java 6 Update 22) as Windows and Linux.
At this point, it seems that the Defensive Computing thing to do is to un-install Java. If you find that it's needed, you can always re-install it.
That said, there is a small chance that software you need will only run with certain versions of Java (think DLL hell). Considering everything, that's probably a risk worth taking. It seems to me that running old copies of Java is the bigger risk.
Update October 21, 2010: Trend Micro just chimed in on this. They too, have seen increased exploitation of Java. See FAKEAV Update: Java Vulnerabilities and Improved Fake Alerts.
Update October 21, 2010: Just ran across an older warning from Microsoft about Java exploits. The warning was issued August 17, 2010 (see Unruy downloader uses CVE-2010-0094 Java vulnerability) by Marian Radu. He found malware that was exploiting a bug in Java 6 Update 18 (and earlier), a bug that had been patched roughly five months earlier.