Microsoft: Java worse than PDF as security threat

Java should be considered a top software security threat, even more so than Adobe PDF files, according to Microsoft's announcement issued today.

Holly Stewart of the Microsoft Malware Protection Center (MMPC) noted that Adobe's software has tended to get the rap for security problems that require patching, but Java deserves perhaps more attention as a vector for attacks. She cited MMPC data from the third quarter showing that malware exploit attempts using Java (not to be confused with JavaScript) exceeded those using Adobe PDF files.

Exploit attempts leveraging Java peaked at more than six million in the third quarter. In contrast, exploit attempts tapping PDF files in that same time period were measured in the thousands, according to MMPC data.

The Java exploit attempts on Windows machines used known security issues for the most part for which Microsoft has already issued patches, according to Stewart. Those patches include CVE-2008-5353, CVE-2009-3867 and CVE-2010-0094, all of which are associated with the Java runtime environment. Microsoft particularly noted exploits associated with the CVE-2008-5353 bulletin as "a major problem."

The low profile for Java as a software security attack vector is due, in part, from the lower volume of attacks compared with malware families such as Zbot, according to Stewart. She also speculated that makers of intrusion prevention system software have trouble figuring out Java code themselves and so haven't sounded the alarm.

Stewart pointed to a post by security researcher Brian Krebs as one of the few outlets pointing to Java as a potential security problem. According to Krebs, the regular monthly Java patches delivered by Oracle through automatic updates aren't frequent enough to ward off potential attacks. He recommended increasing the frequency of Java update checks. Alternatively, for those not really needing Java, he recommended just removing the java runtime environment altogether.

Still, Java is popularly used. According to Oracle's website, "Java runs on more than 850 million personal computers worldwide, and on billions of devices worldwide, including mobile and TV devices."

About the Author

Kurt Mackie is the online news editor for the 1105 Enterprise Computing Group sites, including, and

inside gcn

  • facial recognition tech (Artem Oleshko/

    Biometric ID spots imposters at land crossing

Reader Comments

Wed, Nov 3, 2010

What about Java on Linux? Curiously that is not addressed in the analysis....

Thu, Oct 21, 2010 WOR

I would rather see statistics on successful exploits, not the "exploit attempts" sited here. So a bunch of malware is trying an exploit... yeah, but what vulnerabilities are actually working for the crooks?

Thu, Oct 21, 2010

Wonder how much of that "insecurity" is induced by the way Microsoft codes the linkages that Java uses?

Microsoft still does not like Java because of the legal beating they took over it some years ago, and they hate the fact that it allows users to use non-Microsoft products, unlike those who try to read active-X coded files.

And one has to wonder about how many security flaws are hidden in active-X that Microsoft does not fix unless someone points them out instead of exploiting them...

Unfortunately, there is no such thing as secure software, unless it is off. And just because Microsoft would prefer you to use their software instead of someone else's software does not mean that you will be any safer, especially the way windows intertwines everything and has so many patches and overlays over the years instead of designing new software (reminds me of some of the roads here, instead of fixing the rotting road base, they toss some tar and asphalt on top and call it good for a few months)...

Thu, Oct 21, 2010

Isn't this like asking Ford about the safety of Chevrolet cars? OF COURSE they're going to say it will trigger Armageddon. Get this from an un-biased source and it might mean something. Otherwise it is just propaganda.

Wed, Oct 20, 2010 Jeffrey A. Williams Frisco Texas

Holly's right IMO. Java is and/or has represented a huge threat to those OS'es that have not fully taken into account the flexibility of Java. JavaScript however represents an even larger bad use potential threat. However blaiming security holes in OS'es on Java is somewhat unfair although Oracle has not been a forthcomming as many would like, including myself as to point out the ever increasing flexability of Java and how that might pose a security threat on some OS'es accordingly

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group