Join 3,413 readers in helping fund MetaFilter (Hide)


Are there really java viruses?
February 18, 2012 2:26 PM   Subscribe

Are there really Java viruses?

Lately I've seen various claims around the net that that Java viruses are a big problem. Mostly I've assumed that either they really mean javascript, or the claims are just some sort of anti-Java astroturfing. But now I'm wondering if there's anything to it. I'm hoping that some Mefi java experts can fill me in.

I do recall once or twice getting virus warnings about Java jar files in my browser cache, but its been years since that happened. Also, I thought the JVM had lots of protections, sandboxing, etc., to prevent virus-type actions.

So what's the real story? I'm a software developer, but mainly in C/C++, so I'm not really a Java expert. Thanks in advance for your help.
posted by DarkForest to Computers & Internet (8 answers total) 2 users marked this as a favorite
 
Java is part of the attack surface of a web browser. Most browsers have Java, so if you find a bug in the Java implementation and exploit it you get access to the computer. In that way it's really not that different from Flash, or image loading bugs, or any of the hundreds of other avenues to break into a computer via the web. There's nothing particularly Java-specific about it except that it's a bit easier to craft a payload for Java, since it's a program interpreter and all.

I don't have statistics on hand for virus prevalence, but if I had to guess I'd say it was #3 behind Flash and PDF bugs. It's ongoing, for instance just this month Java Security Update Scrubs 14 Flaws. Note "Oracle estimates that Java is installed on more than three billion machines worldwide." It's an attractive target.
posted by Nelson at 2:38 PM on February 18, 2012 [2 favorites]


From a server perspective:

Strictly speaking, viruses seem less likely than one-time privilege escalations and trojans. It isn't a problem unique to Java, though. Your C/C++ code is just as much at risk.
posted by b1tr0t at 2:41 PM on February 18, 2012


Note "Oracle estimates that Java is installed on more than three billion machines worldwide." It's an attractive target.
Note that Java is heavily used in cloud computing, which tends to prefer lots of tiny server instances over few large instances. So that is relevant to consider when thinking about these numbers.
posted by b1tr0t at 2:42 PM on February 18, 2012


Yes, there are Java viruses. The JavaVM is a pretty complex piece of software, and it's not impossible to break out of it.

The Java Native Interface (JNI, the way for Java code to interact with native code) can be a pretty damn big whole. For example, the QuickTime Java library uses JNI to give Java code a way to interact with QuickTime installed on the user's machine. Early versions used to pass a raw memory pointer to Java as an "opaque" handle value. Some people figured this out and started manipulating the handle value to get arbitrary code injected into the OS from the JavaVM.
posted by sbutler at 2:52 PM on February 18, 2012


There are not only Java virii, but they were the most commonly observed types of exploits in the first half of 2011. It's in no way astroturfing or anti-Oracle sentiment.
posted by eschatfische at 3:46 PM on February 18, 2012


Thanks for your answers so far. I guess what I'm really asking is not whether a Java virus is possible, but how big a deal they are in practice. That Microsoft link would seem to answer my question, but well... it's Microsoft. I wouldn't think of them as a good source of even-handed information about Java. Can that sort of information be corroborated elsewhere?
posted by DarkForest at 4:03 PM on February 18, 2012


A summary of 2010's malware threat trends from Symantec, one of the leading anti-malware vendors, mentions Java frequently and theorizes based on prevalence of Java-based exploits that Java will be virus developers' target of choice in 2011.

Kaspersky Lab, another leading anti-malware vendor, writes that Java was the target of choice for exploit kits in 2011.

Former Washington Post reporter and cybercrime journalist Brian Krebs wrote an article about the severity of Java security concerns back in 2010. In November, he discusses more recent Java exploits, and concludes both articles with the advice "If you don’t need Java, get rid of it."

As an IT professional, I can assure you that in my experience, it is incredibly common to see web-based malware attempt to infect machines through Java exploits - and I suspect that any other IT professional who manages user desktops and anti-malware software will say the same.
posted by eschatfische at 5:22 PM on February 18, 2012


Interesting links, eschatfische. Thank you very much.
posted by DarkForest at 5:42 PM on February 18, 2012


« Older We've only been dating for a f...   |  Have you read Dhalgren by Samu... Newer »
This thread is closed to new comments.