Robert Hensing's Blog

Software Security . . . and stuff.

JRE pwnage

JRE pwnage

  • Comments 2
  • Likes

So this is a great write-up by Symantec on the rise in not only vulnerabilities but active exploitation of vulnerabilities in the Sun Java Runtime Environment.

http://www.symantec.com/enterprise/security_response/weblog/2007/07/new_trend_in_attacking_the_jav.html

This all just makes sense to me . . . people bemoan the Microsoft 'monoculture' as dangerous due to its ubiquity but they often overlook the *other* equally if not more dangerous monocultures that exist out there.  Think about every OEM PC ever made in the last 5 years . . . what is pre-installed on that bad boy for you?  Why I bet you get a copy of the Sun JRE and / or Adobe Acrobat and Flash.

We've already seen the MPack exploit framework attempting Winzip and Quicktime AX control vulnerabilities - it makes sense that they'd try to increase their success rates with software that's harder to get patched (does the Sun JRE even have an automatic update ability?  Is your mom going to know how to patch Java on her machine?).

IMHO - this article is just more evidence that the bad guys are increasingly turning their focus to other vendors who make ubiquitous software because at the end of the day it's all about the data and the money for them - they don't really care who makes the software.  I'm just glad we have products developed under several years worth of the SDL coming on-line (Vista, Office 2007 etc.) . . . too bad the other vendors can't say the same. :)

Comments
  • "Does the Sun JRE even have an automatic update ability?"

    Yes, it does - it's a Run key entry - but it only works for administrators. Anyone who only ever logs into their machine as a standard user will never see it.

  • ...and when you update JRE the old version is still there ;)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment