Microsoft hits Java where it hurts

Microsoft security researcher warns of deteriorating situation with Java -- and not just on Windows. Continuing to use Java puts your company and clients at risk

Four months ago I railed against Java -- or more accurately, against use of the Java Runtime Environment -- in the Tech Watch post "It's time to run Java out of town." Four months later, and the situation hasn't improved one iota. In fact it's gotten worse, if "worse" is an option for the No. 1 infection vector on both PCs and Macs.

Last week Microsoft Malware Protection Center researcher Matt Oh posted an article on TechNet about how to protect yourself from Java-based malware. To emphasize the point, he delivered a talk at Black Hat 2012 on the same day, saying the situation with Java is deteriorating -- and not just on Windows.

"We are seeing more and more Java vulnerabilities exploited in the wild ... one Java vulnerability can sometimes lead to exploitation on multiple platforms," Oh said.

Oh's main point of concern is sandbox breaches. If malware authors can jump out of the Java/JRE sandbox, they can take control of a system, whether it's running Windows, Mac OS X, or Unix. A single Java vulnerability -- like the "type confusion" security hole CVE-2012-1723, discovered just weeks ago, and the oldie CVE-2012-0507, which led to the Flashback botnet and more than 600,000 infected Macs earlier this year -- can result in successful exploits that bypass the operating system's defenses simply because they're running in Java.

"Type-confusion is a vulnerability that occurs when type safety check in Java Runtime Environment fails in verifying wrong types supplied to instructions working with different types. ... Some of the types from the Java system, like ClassLoader, can be the target of this attack. If those classes' type safety is broken, you can access some methods that are not supposed to be opened to processes outside of the class. This class' type safe violation ultimately leads to a Sandbox compromise for Java," Oh said.

Even worse, the fact that the program is written in Java makes it easier to obfuscate, using readily available automatic tools and well-documented scrambling techniques.

Oh's recommendation is that you get JRE updated and that you disable it whenever possible. If you don't use Java, uninstall the JRE.

My recommendation for IT is a bit more proactive: It's time to get your users off the JRE/JVM treadmill. If you have a product that requires JRE, migrate it. If your business plans call for JRE apps, modify them. If you or your dev team programs client apps that require JRE, it's time to expand your skill set.

By continuing to use Java, you're putting your company and your clients at risk.

This story, "Microsoft hits Java where it hurts," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.