Good news: Oracle says the next major version of its Java software will no longer plug directly into the user’s Web browser. This long overdue step should cut down dramatically on the number of computers infected with malicious software via opportunistic, so-called “drive-by” download attacks that exploit outdated Java plugins across countless browsers and multiple operating systems.
According to Oracle, some 97 percent of enterprise computers and a whopping 89 percent of desktop systems in the U.S. run some form of Java. This has made Java JRE (the form of Java that runs most commonly on end-user systems) a prime target of malware authors.
“Exploit kits,” crimeware made to be stitched into the fabric of hacked and malicious sites, lie in wait for visitors who browse the booby-trapped sites. The kits can silently install malicious software on computers of anyone visiting or forcibly redirected to booby-trapped sites without the latest version of the Java plugin installed. In addition, crooks are constantly trying to inject scripts that invoke exploit kits via tainted advertisements submitted to the major ad networks.
These exploit kits — using names like “Angler,” “Blackhole,” “Nuclear” and “Rig” — are equipped to try a kitchen sink full of exploits for various browser plugins, but historically most of those exploits have been attacks on outdated Java and Adobe Flash plugins. As a result, KrebsOnSecurity has long warned users to remove Java altogether, or at least unplug it from the browser unless and until it is needed.
On Jan. 27, 2016, Oracle took a major step toward reducing the effectiveness of exploit kits and other crimeware when the company announced it was pulling the browser plugin from the next desktop version of Java – Java JRE 9. Continue reading →