Cryin' shame: 60% of Windows PCs lack 18-month-old Java update, adds expert

Hackers continue to launch attacks exploiting vulnerabilities in Oracle's Java software in record numbers, Microsoft said Monday.

Citing research from a recent report, Tim Rains, a director in the company's Trustworthy Computing group, said that up to half of all attacks detected and blocked by Microsoft's security software over a 12-month period were Java exploits.

Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011.

Computer infected? Blame yourself, Microsoft report concludes

Most of those exploits targeted long-ago-patched vulnerabilities, said Rains.

The most commonly-blocked Java attacks — to the tune of over 2.5 million of them — in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the full 12-month stretch was an exploit of a bug patched in early December 2008, nearly three years ago.

Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010.

Rain's comments followed a similar message from Microsoft in October 2010, when the company said an "unprecedented wave" of attacks were exploiting Java flaws.

Microsoft's findings were no surprise to outside security researchers.

"Most [Windows] machines are just not up-to-date with Java," said Wolfgang Kandek, chief technology officer at Qualys, a California developer of security risk and compliance management software and services.

Qualys regularly mines data from the customers' machines it protects to get a feel for updating practices. And for Java, those practices are pathetic.

"Java updates lag behind seriously," said Kandek, like Rains reiterating a 2010 take . "Eighty-four percent of the machines we see don't have the June 2011 Java update installed, 81% don't have the February 2011 update and 60% don't have the March 2010 update."

Qualys doesn't have enough scanning data yet to measure the patch rate for the October 2011 update , Oracle's latest, but Kandek estimated that as many as 90% of Windows PCs hadn't deployed those fixes.

Enterprises typically patch vulnerabilities in Microsoft's Windows much faster, Kandek continued, citing a "half-life" — meaning that half of all machines are patched — of 29 days for run-of-the-mill Windows bugs. Critical patches are deployed even quicker: Their half-life is about 15 days.

The pervasiveness of Java is one explanation for the high volume of attacks exploiting its bugs, said Andrew Storms, director of security operations for nCircle Security, in an interview conducted via instant message.

But its virtual invisibility to users is another.

"Java is not something [most users] interact with … similar to how Adobe Flash or Reader became the big, but silent, target," said Storms. "It's on everyone's computer, but rarely do you interact with it. [So] from the attackers' perspective, using Java as the silent killer is a smart move. If people don't know what it is or know what it does, they are less likely to update it. As such, you have to imagine there are tons and tons of old vulnerable installs out there."

Some of Qualys' enterprise customers are among those running out-of-date editions, said Kandek. "One issue is internal applications that require older versions of Java," he said.

Qualys' recommendation to companies in that boat: Block Java's use outside the network perimeter.

Criminal developers who craft exploit kits are constantly adding new Java exploits to their wares, Kandek continued, to supplement the older-but-still-effective exploits of older bugs. Those kits already have been equipped with exploits of the bugs Oracle patched in October.

Qualys provides its clients with an exploit mapper that shows which vulnerabilities are being leveraged in such kits. "If they cannot patch every vulnerability, this gives them a list of those that we know are being used in the wild right now," Kandek said.

Others have taken a much more aggressive line on Java.

Noted security blogger Brian Krebs , a former Washington Post reporter, has repeatedly urged consumers to uninstall Java from their Windows machines.

On Monday, echoing Kandek's claim that exploit kits are now armed with attack code that targets Java vulnerabilities Oracle patched in October, Krebs again advised users to scrub the Java plug-in from their browsers.

Microsoft's Rains didn't go that far, instead telling users that they should update Java, and keep it up to date.

"There is just too little focus, even now, on Java and its updates," said Kandek. "It's being exploited … right now."

I can’t believe that we’re still having a discussion over whether or not the bad guys have begun targeting Mac users. I really can’t. I’m truly staggered by the fact that people who have been around computers for decades and who are supposedly keeping their finger on the tech pulse are still clinging on for dear life to the notion that Mac is somehow immune of invulnerable to modern malware.

John Gruber, the guy behind the Mac site Daring Fireball says that those who dare to suggest that there’s a problem are crying wolf. To back up his ‘claim’ (and I can’t put enough quotes around that word so I won’t bother trying) he pulls quotes from the internet going all the way back to 2005. His point seems to be that because someone made a prediction in 2005 that a wave of Mac malware was coming, and it didn’t materialize, then it can’t possibly happen in 2011 either because of some ancient lore that says that things never change and the past always equals the future.

It’s a shame the world isn’t that simple.

I’ve one word to describe these people who choose to ignore the real problems facing the modern Mac user and instead choose to live in the past – Dinosaurs.

The Mac dinosaur, it its natural habitat!

Look around you, do you see any dinosaurs? No. Here’s why …

I bet the dinosaurs didn’t see that coming either!

Times have changed. The old-guard, fervor-filled dinosaurs of the past who for some reason (ego, self esteem, ignorance …) want to frantically and fanatically cheer lead have been replaced by the modern Mac user who sees the Mac as a tool rather than an idol. What is a modern Mac user? Well, for starters I see them as someone who started using a Mac since its transition from the PowerPC architecture to Intel architecture, a move which began in mid-2006. Much of the zealotry and nonsense spouted today dates back to the PowerPC years when owning a Mac was seen by many as a deviant pastime. Times have changed.

The modern Mac user also uses their machine in a very different way to the dinosaurs of old. People nowadays surf a lot more, social media has in many ways replaced email as the preferred method of communication. Multimedia on the web has exploded. More people doing more things in ways that we couldn’t really have dreamed possible a decade ago.

The modern Mac user is also very likely to be someone who, prior to owning a Mac, owned a PC (this is based on data from Apple which says that around 50% of those buying a new Mac are first-time buyer). This is important to bear in mind since these users are likely to have bought their bad Windows habits (bad habits that perhaps caused them to switch to Mac in the first place?) with them to the new platform.

The threats posed by the bad guys are also different. Very different. Rather than rely on viruses which spread by using system vulnerabilities, the bad guys have turned to the Trojan. This is malware disguised as something desirable – a game, a software utility, a porn video – and it relies on the user choosing to install it onto their system. It’s hard to protect against this kind of stuff because the user chooses to override the operating system’s desire to be cautious when it comes to installing stuff. Getting people to install their own malware has been a popular trick used against Windows users for some time now, and there’s no reason to think that the same trick wouldn’t work against the modern Mac users, especially given how many of them were Windows users not long ago.

The piece of malware that’s currently making the rounds is called Mac Defender (there are other variants called Mac Protector and Mac Security). It’s not particularly sophisticated. Infections goes something like this:

• A user does a Google image search.
• Among the listings are poisoned listings.
• Clicking on these listings will take the Mac user to a web page that looks a lot like the Mac OS X Finder (the website uses browser and OS detect scripts to deliver different views and malware for different operating systems).
• The fake Finder displays a ‘Scanning for viruses’ message followed by the inevitable ‘Your computer is at risk!’ message and offers a ‘Fix your problem’ link.
• Link goes to the page where the user can download the Trojan.
• Users install the Trojan
• Trojan nags users for money to remove malware.

This scheme will be familiar to most Windows users. While the trick might not be older than dirt, it sure has been around for a while. And against novices who are scared of malware, it’s a pretty efficient way to get them to install the very malware they’re afraid of onto their systems.

How big a problem is Mac Defender? It’s hard to get a accurate picture. Personally, I’ve head from nearly a dozen people affected by it and a few dozen more who have been redirected to the fake Finder screen. My colleague Ed Bott has uncovered 42 separate discussion threads on Apple’s support forum and a confidential internal Apple document has seen some 20,000 page views since it was created (I’m assuming Apple support folks were accessing the document because of calls received and not for fun).

Fortunately, it’s pretty easy to remove … here’s a simple guide for removing Mac Defender. Unfortunately, Mac malware is likely to become more sophisticated and harder to remove.

Regular readers of this blog will know that I don’t feel the need to be a fanboy or cheerleader for one multibillion dollar corporation over another, and that instead I offer up what is my honest opinion as to what’s best for the user (usually the advice I give mirrors closely what I do myself). My advice for the modern Mac owner is simple – Ignore the dinosaurs and protect yourself for malware. Personally I use Sophos Free Antivirus for Mac but there’s plenty to choose from.

It’s that simple.

Ignore the dinosaurs. Download protection. Install it. Get on with life.

http://www.zdnet.com/blog/hardware/modern-mac-owners-need-to-ignore-the-dinosaurs-and-get-protection/12857?tag=nl.e539