Are there really java viruses?
February 18, 2012 2:26 PM Subscribe
Are there really Java viruses?
Lately I've seen various claims around the net that that Java viruses are a big problem. Mostly I've assumed that either they really mean javascript, or the claims are just some sort of anti-Java astroturfing. But now I'm wondering if there's anything to it. I'm hoping that some Mefi java experts can fill me in.
I do recall once or twice getting virus warnings about Java jar files in my browser cache, but its been years since that happened. Also, I thought the JVM had lots of protections, sandboxing, etc., to prevent virus-type actions.
So what's the real story? I'm a software developer, but mainly in C/C++, so I'm not really a Java expert. Thanks in advance for your help.
Lately I've seen various claims around the net that that Java viruses are a big problem. Mostly I've assumed that either they really mean javascript, or the claims are just some sort of anti-Java astroturfing. But now I'm wondering if there's anything to it. I'm hoping that some Mefi java experts can fill me in.
I do recall once or twice getting virus warnings about Java jar files in my browser cache, but its been years since that happened. Also, I thought the JVM had lots of protections, sandboxing, etc., to prevent virus-type actions.
So what's the real story? I'm a software developer, but mainly in C/C++, so I'm not really a Java expert. Thanks in advance for your help.
Yes, there are Java viruses. The JavaVM is a pretty complex piece of software, and it's not impossible to break out of it.
The Java Native Interface (JNI, the way for Java code to interact with native code) can be a pretty damn big whole. For example, the QuickTime Java library uses JNI to give Java code a way to interact with QuickTime installed on the user's machine. Early versions used to pass a raw memory pointer to Java as an "opaque" handle value. Some people figured this out and started manipulating the handle value to get arbitrary code injected into the OS from the JavaVM.
posted by sbutler at 2:52 PM on February 18, 2012
The Java Native Interface (JNI, the way for Java code to interact with native code) can be a pretty damn big whole. For example, the QuickTime Java library uses JNI to give Java code a way to interact with QuickTime installed on the user's machine. Early versions used to pass a raw memory pointer to Java as an "opaque" handle value. Some people figured this out and started manipulating the handle value to get arbitrary code injected into the OS from the JavaVM.
posted by sbutler at 2:52 PM on February 18, 2012
There are not only Java virii, but they were the most commonly observed types of exploits in the first half of 2011. It's in no way astroturfing or anti-Oracle sentiment.
posted by eschatfische at 3:46 PM on February 18, 2012
posted by eschatfische at 3:46 PM on February 18, 2012
Response by poster: Thanks for your answers so far. I guess what I'm really asking is not whether a Java virus is possible, but how big a deal they are in practice. That Microsoft link would seem to answer my question, but well... it's Microsoft. I wouldn't think of them as a good source of even-handed information about Java. Can that sort of information be corroborated elsewhere?
posted by DarkForest at 4:03 PM on February 18, 2012
posted by DarkForest at 4:03 PM on February 18, 2012
Best answer: A summary of 2010's malware threat trends from Symantec, one of the leading anti-malware vendors, mentions Java frequently and theorizes based on prevalence of Java-based exploits that Java will be virus developers' target of choice in 2011.
Kaspersky Lab, another leading anti-malware vendor, writes that Java was the target of choice for exploit kits in 2011.
Former Washington Post reporter and cybercrime journalist Brian Krebs wrote an article about the severity of Java security concerns back in 2010. In November, he discusses more recent Java exploits, and concludes both articles with the advice "If you don’t need Java, get rid of it."
As an IT professional, I can assure you that in my experience, it is incredibly common to see web-based malware attempt to infect machines through Java exploits - and I suspect that any other IT professional who manages user desktops and anti-malware software will say the same.
posted by eschatfische at 5:22 PM on February 18, 2012
Kaspersky Lab, another leading anti-malware vendor, writes that Java was the target of choice for exploit kits in 2011.
Former Washington Post reporter and cybercrime journalist Brian Krebs wrote an article about the severity of Java security concerns back in 2010. In November, he discusses more recent Java exploits, and concludes both articles with the advice "If you don’t need Java, get rid of it."
As an IT professional, I can assure you that in my experience, it is incredibly common to see web-based malware attempt to infect machines through Java exploits - and I suspect that any other IT professional who manages user desktops and anti-malware software will say the same.
posted by eschatfische at 5:22 PM on February 18, 2012
Response by poster: Interesting links, eschatfische. Thank you very much.
posted by DarkForest at 5:42 PM on February 18, 2012
posted by DarkForest at 5:42 PM on February 18, 2012
This thread is closed to new comments.
I don't have statistics on hand for virus prevalence, but if I had to guess I'd say it was #3 behind Flash and PDF bugs. It's ongoing, for instance just this month Java Security Update Scrubs 14 Flaws. Note "Oracle estimates that Java is installed on more than three billion machines worldwide." It's an attractive target.
posted by Nelson at 2:38 PM on February 18, 2012 [2 favorites]