back to article Java, Adobe vulns blamed for Windows malware mayhem

Failure to patch third-party applications has become the main reason that Windows machines get infected with malware. Drive-by download attacks from hacker-controlled websites loaded with exploits replaced infected email attachments as the main distribution method for malware somewhere between three to five years ago. At the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Good to see Java alive and well on the desktop ... I thought people only used it server side....

    1. Anonymous Coward
      Anonymous Coward

      Nah, personally I love java and its constant pestering to update and install toolbar of the week...

  2. semprance
    Meh

    Title is a bit misleading: are they really to blame? After all, if a carpenter fits a door and advises me to keep and maintain a working lock, is he to blame if I don't put a lock on, or put a lock on and fail to maintain it? Admittedly, Adobe (for example) is both the carpenter and the lock-maker, but they can't - and shouldn't - force anyone to install software on their computer, be it a whole software package or a single security update.

    Not that they're not guilty of a thousand other crimes against computer security. It's just that the user has to actively click the Update Now button - it's a choice.

    1. JC_

      Auto-update (for security patches, not feature improvements) should be automatic and the user ought to have to explicitly choose to opt-out, accompanied with appropriately scary warnings. i.e. the sensible behaviour should be the default.

      1. Ed Vim

        Auto-update for most applications is a disputable reality. It's only a partial solution. As one of the previous comments already mentioned, using a computer with administrative privileges is a bad idea. Maybe more of an issue with WinXP than Win7 but still relevant, and this is definitely a issue that contrasts corporate systems and consumer systems. In most big companies the general user login account is a restricted one, limiting what the user can do, especially when it affects the operating system. It's the responsibility of the IT department to maintain and update things. Most home users use their computers by logging into a account they set up with administrative privileges, most unaware that's not a safe way to do so or some simply not patient enough to have to log out and into an administrative account for occasional maintenance.

    2. Test Man
      Stop

      Yes it is their fault...

      ... if they put on a known faulty lock on in the first place.

      1. semprance
        Thumb Down

        Why would you intentionally buy a door with a faulty lock, especially when there are numerous alternative 'doors'?

    3. Elmer Phud
      Meh

      Early doors

      If windows is your house then do you regularly chek to ensure the doors not only have locks that work but also close, latch and keep the draught out.

      Do you make sure the gate to the garden is secure or just leave it open?

      Do you leave your bins outside the house or have a note asking the dustment to come in and get it themselves?

      Do you invite people selling switch-over deals indoors without at least checking thier ID?

      Don't blame the house - it's usually the occupant that screws up.

      1. 437T
        Pint

        Hey, I like the draught!

        Elmer Phud says: "If windows is your house then do you regularly chek to ensure the doors not only have locks that work but also close, latch and keep the draught out."

  3. jubtastic1
    Stop

    Removing them works as well

    And doesn't require constant patching, keep chrome around for the odd time a website doesn't fail back to HTML when flash isn't installed and get a third party app for PDF's.

    Not a lot of help if you have to run Java apps but most users only interaction with java is through malware.

  4. Peter 51
    FAIL

    The joys of running plugins without being asked

    I've lost two XP machines to drive by infections. Now with Flashblock and Foxit Reader instead of Adobe on Win 7 I'm *slightly* more confident, but what I really want it the equivilent of flashblock for all 3rd part plugin content. I really don't think there's a problem in asking me whether I want to load something or not ... that way I'd know if it was in response to something I'd clicked on.

    1. Anonymous Coward
      Anonymous Coward

      Methinks you need to use a better browser. A mountain bike to your penny farthing, you might say.

    2. Gordon Fecyk
      WTF?

      "but what I really want it the equivilent of flashblock for all 3rd part plugin content."

      It's called "Browse without add-ons" and it's been available since IE7.

      As for preventing "drive-by infections," do you still surf as an administrator? I hope you at least have UAC turned on in Win7.

      It's funny; two years on Win7, at least nine years on Win2K and I haven't lost a PC to those jokers, yet everyone around me has nothing but trouble. It's not like I use any secret CIA / MI6 / CSIS techniques. I just use what's built in to Windows and I just don't install garbage that needs admin access to run anymore.

      1. 437T
        Boffin

        That you know of...

        Gordon Fecyk says: "It's funny; two years on Win7, at least nine years on Win2K and I haven't lost a PC to those jokers..."

        1. Anonymous Coward
          Anonymous Coward

          Doubt it.

          Any person who has half a clue on how this stuff works can be fairly confident that nothing will happen. I'm in the same boat as Gordon; I've stopped running anti-virus software for years now and I've used nothing but Windows for my OS. The only time I've had any problems is when I carelessly ran dodgy software I downloaded from bittorrent. That was my own fault.

          I'm too lazy for an 'alternative' OS.

  5. LPF

    and people castigate apple..

    for not putting flash on their systems!!

    1. texiso
      Facepalm

      I think apple knows their user base pretty well eh?

      I wouldn't expect them to be the most diligent at patching.

  6. Anonymous Coward
    Anonymous Coward

    hmm....

    So 48% Adobe exploits, 37% Java exploits, 10% IE exploits, 2% Quicktime exploits, leaving 3% of exploits accounted for by World+Dog, which seems to be mostly Microsoft Help & Support HCP. Nasty. Right, I'm off to stackoverflow.... sorry Adobe!

  7. Joe Montana
    FAIL

    Diversity!

    Hackers will go for the largest possible target... A few years ago when 95% of web users ran IE it made an attractive target, now that it is down to 40% it's less interesting.

    On the other hand, the programs which are being targeted are still on over 90% of users machines, including those using non-IE browsers.

    If these programs had competitors such that the market was split up, then they would be much less attractive targets too. Monocultures are very bad for security.

    Another problem that compounds the issue, is the lack of a centralised package system on windows... Every app needs its own crufty update system, which waste resources and end up getting turned off. Linux has a much better approach, add your repository to the system package manager and then it will get updated at the same time as everything else.

    1. Gordon Fecyk
      Gimp

      "Another problem that compounds the issue, is the lack of a centralised package system on windows... "

      Last I checked, it was called "Microsoft Systems Installer," or "Windows Installer." Been available for Windows since ME and 2K, and backported as far as Windows 95. Plenty of third-party tools for creating and managing packages too, including patches (MSP).

      Making vendors use them, well, that's like herding cats. At least Adobe and Oracle have MSI packages available for their products.

    2. Anonymous Coward
      Anonymous Coward

      What really hacks me off,

      is management having a web based accounting package that depends on a Java version that was already 6 months obsolete (as in not supported, not just not the newest) when I started here over 2 years ago. And no visible plans in sight to fix it.

      Grrr...

      AC for obvious reasons.

  8. Ken Hagan Gold badge

    99.8% of what, exactly?

    "99.8 per cent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages"

    Umm, yes, that quote does appear in the linked article. However, it is unsupported by the evidence in their pie charts...

    37% Java

    32% Acrobat

    16% Flash

    10% IE

    3% HCP (Windows Help)

    2% Quicktime

    The first five add up to only 98%, not 99.8% and presumably the collection of six has been normalised to 100%, since other vectors exist, so I think either the "5" or the "99.8" must be wrong. Be that as it may...

    ...Am I alone in being depressed that the original purpose of #1 was to be a sandbox and the original purpose of the next 5 was (or certainly ought to have been) the presentation of dumb content?

  9. Anonymous Coward
    Thumb Up

    Things are improving…

    Once upon a time, it was the OS that was vulnerable. The security issues are slowly rising up the stack, which IMO is a good thing.

    Yes, clearly Microsoft is learning, and now Adobe and Oracle must pull their collective fingers out and "fix their $#!t". I see this as the industry moving forward.

    The fact that it's Sun (Oracle) Java and Macromedia (Adobe) Flash which are two of the biggest culprits today worries me though, as they're pieces of software that are common to many platforms including MacOS X and Linux, not just Windows.

    Finger's crossed we can rid the need of Java and Flash, and can push the (superior) alternative PDF viewers, and that should improve the security landscape quite a bit. (Or it'll just push the crackers to tackle other targets…)

  10. Fuzz

    Java

    Java is a menace, if you have an application that mandates a particular version of Java then you can't update. Obviously this is just sloppy coding that ties an application to a version but it means that corporate desktops are wide open to this kind of attack.

    Flash is very nearly as bad. The auto mechanism requires you to be an administrator on your computer. Keeping flash up to date using group policy requires you to constantly check version numbers.

    Say what you like about Microsoft but WSUS is a fantastic tool for keeping all your Microsoft software patched across a large deployment of computers.

  11. Tom 7

    And there was me thinking

    it was the completely unrealistic Wx security model.

  12. ColonelClaw
    Facepalm

    Adobe must be proud

    How is it possible that one third-party vendor can be responsible for nearly half of all attacks on an entire software platform? Are they really that bloody useless at coding decent software? That really is incompetence on a staggering, global, level.

  13. Anonymous Coward
    Anonymous Coward

    No word on

    Whose fault it is that browser plugins are allowed to do pretty much anything on a windows system, thus allowing for malware to spread that way.

    After all, when's the last time there _wasn't_ a zero day adobe reader exploit?

  14. Anonymous Coward
    Anonymous Coward

    MS policy of exclusion is to blame

    The important question to ask is why windows update doesn't handle third-party software. Other operating systems have had software-distribution mechanisms which are able to include 3rd-party software since online software distribution took off with the commercialisation of the internet in the 1990s. A system update on any of my systems updates everything regardless of origin except software that I've built and installed from source myself, and it's been like that for more than a decade.

    MS still choose the excluding path. It's their choice, but don't blame others for their mess.

    1. Al Jones

      Commercially licenses apps?

      How many commercially license applications are included in those updates you perform?

      1. Anonymous Coward
        Anonymous Coward

        Licenses

        I really do not see the point in having to approve the license on each and every update, it is madness. Anyway, I have started to use Secunia PSI and that works well in the background, so they appear to have got around the problem.

This topic is closed for new posts.

Other stories you might like