Microsoft Escapes Kaspersky's Top 10 Vulnerabilities List

An anonymous reader writes "Security firm Kaspersky has released its latest IT Threat Evolution report. There were some interesting findings in the report, as always, but the most interesting thing that stuck out was all the way at the bottom: 'Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.'"

Fluff.

[bmo]

This article is nothing but Softie cheerleading without any meat. You have to go to the report itself for any real facts.

Indeed, this paragraph explains *why* Java exploits are common in the wild.

Java vulnerabilities were exploited in more than 50% of all attacks. According to Oracle, different versions of this virtual machine are installed on more than 1.1 billion computers. Importantly, updates for this software are installed on demand rather than automatically, increasing the lifetime of vulnerabilities. In addition, Java exploits are sufficiently easy to use under any Windows version and, with some additional work by cybercriminals, as in the case of Flashfake, cross-platform exploits can be created. This explains the special interest of cybercriminals in Java vulnerabilities. Naturally, most detections are triggered by various exploit packs.

In other words, if you do auto-updates of java and stuff like it, you are far less vulnerable. I don't think Windows even has a facility to do this, one must roll one's own for each package.

Keeping up to date with Oracle Java on Debian style systems:

http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html [webupd8.org]

--
BMO

auto-updates of java

[Tim Ward]

But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

Re:auto-updates of java

[Carcass666]

But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

This. For those running eBusiness Suite and also have to use sites with applets, companies are caught between the rock of having to update Java to keep your browsers happy and the hard place of incompatibility of applications with newer versions of Java. Yes, you can load multiple versions of Java, but keeping things automatically updated, and keeping each application/browser using the correct JVM? Ouch. The recent issues over the past few months with poorly executed changes in the security model (broken applets that leverage AJAX), Apple's insistence (now abandoned) on distributing its own, outdated Java, and the mediocre UI stack make Java on the desktop a nightmare. I love my glassfish servers, but Java needs to be abandoned on the desktop. I think most people have given up on "write once, run anywhere", they would settle for "write once, run consistently". The Java brand suffers because of the desktop nonsense, which is a shame because it is so powerful and useful on servers.

Re:Windows is no longer relevant

[Luckyo]

Not really, no. My current gaming rig cost me about 800€, my laptop was 350€ and my smartphone was 100€ (from store, not operator, no subsidy).

Quite a few of us like bang for a buck, rather then bang at any cost.

Re:auto-updates of java

[jbengt]

#Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured . .

Exactly. I do work for a client that uses Primavera - which we have to access thru a browser for all records and communication on their construction projects. A recent update to their installation required us to install a very particular Java version that is not at all up-to-date or secure, fuck whatever else we might need Java for. The kicker is that both Java and Primvera are Oracle products.