Perhaps, the full story is a bit more nuanced though. These reports actually didn't start at Microsoft, the news broke with Brian Krebs [http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack- makers/], and soon lead to various security bulletins like MSIR, Kerberos [http://web.mit.edu/Kerberos/advisories/MITKRB5- SA-2010-005.txt#at] and Securita [http://secunia.com/advisories/ 41791].
In short, there are multiple things going on here - a rise in attacks using patched bugs, as well as unpatched bugs. As to why installations are going unpatched: - I believe the JRE only checks every 14 day (Windows). - Mac lagging behind? - People easily end up using multiple JRE's. - Enterprise environments (Citrix etc.) are often conservative. Indeed, I have to wait for my distro (Ubuntu 10.10 with 1.6.0_21) to send the updates out before I can be safe too! On Oct 23, 4:08 am, Liam Knox <[email protected]> wrote: > Pot Kettle Black > > On Sat, Oct 23, 2010 at 12:50 AM, Karsten Silz <[email protected]>wrote: > > > > > > > > > Hi, > > > A Microsoft employee blogged that three (patched!) security holes now > > make Java the most attacked (third-party?) software on Windows, going > > from about 500k attacks in Q2 to about 6 mill. in Q3. This compares > > to less than 100k attacks against Adobe Reader: > > >http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-t... > > > This is Microsoft and only includes data from Windows machines with > > Microsoft anti-malware software, so I take it with a big grain of > > salt. For instance, Flash had a couple of patches for security holes, > > too - didn't anybody attack this? > > > If the data is true, however, then the interesting thing is that those > > security holes have been patched a while ago, suggesting that the JRE > > auto update functionality doesn't work well enough - or too many > > people use an older JRE/JDK. > > > Between the security holes in Flash, Adobe Reader and Java, I can see > > Steve Jobs smile somewhere. ;-) > > > -- > > You received this message because you are subscribed to the Google Groups > > "The Java Posse" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<javaposse%2bunsubscr...@googlegroups > > .com> > > . > > For more options, visit this group at > >http://groups.google.com/group/javaposse?hl=en. -- You received this message because you are subscribed to the Google Groups "The Java Posse" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/javaposse?hl=en.
