Users neglect Java patches, leave attack door wide open

Security expert suggests Oracle distribute Java fixes on Microsoft's update service

Oracle should piggyback on Microsoft's update service to boost users' chances of running a patched version of Java, a security expert said today.

"The solution would be to get rid of all these different update engines, and instead for companies like Oracle to collaborate with Microsoft to use Windows Update or WSUS to distribute fixes for Java," said Wolfgang Kandek, CTO at Qualys.

WSUS, or Windows Server Update Services, is the business-grade update mechanism that most companies rely on to distribute Windows and other Microsoft software patches.

According to data mined from Qualys' free BrowserCheck service, eight in 10 Windows PCs run one or more copies of Java, making Oracle's software just as popular as Adobe's Reader but behind Flash.

Of the systems with Java, more than 40 per cent were running an outdated version that contained at least one critical vulnerability, Kandek said. That puts Java at the top of the unpatched list. Even Adobe's Reader and Flash, which have gained reputations as criminals' preferred targets , are more likely to be up-to-date.

"Malware operators are always looking for new ways to allow their programs to take control over machines," said Kandek. "But the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in third-party applications."

Kandek's spotlight on Java was no surprise: Earlier this week, Microsoft 's anti-malware team said an "unprecedented wave" of attacks was exploiting long-patched Java bugs. More than 3.5 million of the more than 6 million attacks in the first nine months of 2010, for instance, tried to exploit a Java Runtime Environment (JRE) flaw patched nearly two years ago.

"While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash, we're now seeing an increased attention on Java," Kandek said. Oracle 's software meets hackers' requirements: It's widely installed, it contains a number of well-known bugs and it's largely been ignored by IT staffers responsible for patching their organization's PCs.

While he acknowledged that the idea that Microsoft would distribute Java updates was a long shot, he thought it was worth considering. "The benefit is so big that if they could work together, it would result in a more robust [Windows] client," Kandek said.

Java has an update service of its own, but it's been criticized for being slow to notify users, and for allowing multiple editions to exist on a PC, leaving users vulnerable even if they've recently patched.

There is a precedent for Kandek's proposal. Apple , for example, distributes Java security patches to Mac OS X users via its own update process. The problem there, however, is that Apple has historically patched Java on the Mac months after the fixes were posted by Sun, Java's maker and the company Oracle acquired earlier this year.

Qualys' BrowserCheck scans Windows and Mac machines for vulnerable browsers or plug-ins, including Flash, Java, Apple's QuickTime and Reader. Danish vulnerability tracker Secunia offers a similar tool, dubbed Personal Software Inspector , that checks a much larger number of plug-ins and programs for outdated versions.

Join the PC World newsletter!

Error: Please check your email address.

Tags applicationsMicrosoftsecurityWindowssoftwareMalware and Vulnerabilitiesoperating systemsOracle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Crucial® BX200 SATA 2.5” 7mm (with 9.5mm adapter) Internal Solid State Drive

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

D-Link TAIPAN AC3200 Ultra Wi-Fi Modem Router (DSL-4320L)

Learn more >

ASUS ROG Swift PG279Q – Reign beyond virtual world

Learn more >

D-Link PowerLine AV2 2000 Gigabit Network Kit

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >


Learn more >

Family Friendly

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

ASUS VivoPC VM62 - Incredibly Powerful, Unbelievably Small

Learn more >

Stocking Stuffer

Lexar Professional 2000x SDHC™/SDXC™ UHS-II cards

Learn more >

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Best Deals on PC World

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.


Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?