back to article Java, Android were THE wide-open barn doors of security in 2013 - report

While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found. According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge

    Larry don't care

    He wanna get all the chickens onto the monetization conveyor belt, and Java on clients just ain't on the road to that kinda program.

  2. Anonymous Coward
    Anonymous Coward

    I hear that all Android phones will now come with a warning printed in the box.

    "This phone may be detrimental to your financial well being" on the front.

    "Beware, download apps at your own risk, the manufacturer accepts no liability for your foolish behaviour" on the back

    1. Chris T Almighty

      To be fair, it's perfectly safe to download apps from the Play store. Those who choose to download pirated software from unofficial sites...well, it's to be expected.

      The report said something like 14% of web malware was targeted at iPhones, which is weird because we would have heard if there were widespread iPhone infections. So I'm thinking these stats include failed attacks, i.e. sites trying old and long patched vulnerabilities.

      I'd love to hear from an expert...if you don't invite virus' in via pirated software, what is the actual risk of a drive-by infection?

  3. Anonymous Coward
    Anonymous Coward

    99% of all mobile exploits are on Android

    Its truly the Windows of the mobile world.

    1. Anonymous Coward
      Anonymous Coward

      Re: 99% of all mobile exploits are on Android

      You mean, "it is truly A Windows moment!"

    2. Fuh Quit
      Thumb Up

      Re: 99% of all mobile exploits are on Android

      Yes, 99% of not a lot is not a lot.

      It'll be very interesting, however, to see what happens in the next 2 years.

      I am happy with my Nexus 5 but I must say the fact that updates to Android come via Google to OEMs and then get customised by service providers does not help here. iOS at least has a consistent approach to updates (until your still-working device gets orphaned).

      What's clear though is that Java sucks monkey balls.

      1. Anonymous Coward
        Anonymous Coward

        Re: 99% of all mobile exploits are on Android

        "Yes, 99% of not a lot is not a lot."

        Actually there is LOADS of Android malware out there, and about 0.5% (1 in 200 devices) are currently infected:

        http://www.zdnet.com/android-malware-samples-jump-six-fold-in-q2-7000018483/

        http://www.eweek.com/security/mobile-malware-threat-growth-hits-record-in-q2-mcafee

        1. eulampios

          @AC: not very plausible figures...

          Actually there is LOADS of Android malware out there, and about 0.5% (1 in 200 devices) are currently infected:

          AC, your zdnet link points to the article that mentions another "Alcatel-Lucent report" stating your figures. Well, if the memory doesn't fail me it's one of the first attempts to count the actual number of trojaned android systems. However, the mentioned methodology is not very convincing to say the least. No details are provided, yet according to their own paper:

          To accurately detect that a user is infected, our signature set looks for network behavior that provides unequivocal evidence of infection coming from the user’s computer. This includes:

          • Malware command and control (C&C) communications

          • Backdoor connections

          • Attempts to infect others (e.g. exploits)

          • Excessive e-mail

          • Denial of Service (DoS) and hacking activity

          Although for Windows all of those methods might be eligible, for Android it could only be #1, thanks to the Android's separation between apps. Other usual revelation of a malware activity they talk about is texting or even placing calls, yet they cannot intercept it.

          Okay, so, it's from their sample a .5% of Android devices they found to engage in some C&C communications? Can we do it globally and monitor it world-wide? Yes, why is it not detected world-wide that a .5% of a billion (or more), some 5 million devices are flooding the Internet? Moreover, no figures of those activities seem to exist outside of the Kingsight's vigilant sight, because those might indeed be negligible or non-existent.

          here's another quote: The table below shows the top 20 Android malware detected in Q2 in the networks where the Kindsight Mobile Security solution is deployed...

          Kingsight seems to be able to not only detect so many C&C communications, they can easily distinguish between the actual species of trojans... No details of this innovative approach is attached with the report though...

          Is it a scientific finding? To me it rather looks like another AV scaremongering ad.

      2. Anonymous Coward
        Anonymous Coward

        Re: 99% of all mobile exploits are on Android

        "I am happy with my Nexus 5 but I must say the fact that updates to Android come via Google to OEMs and then get customised by service providers does not help here. iOS at least has a consistent approach to updates (until your still-working device gets orphaned)."

        I tend to agree - I'm not a big Google fan, but I won't say that they don't have a lot of smart people there. Why then is it that the model for sending out updates they've chosen is one which the rest of the mobile world is moving away from? Namely if the OS manufacturer doesn't push out the software updates and relies upon the OEM and/or the telco, they'll never get sent out.

        The reason that I eventually left Nokia was the xpress music 5900 (if I remember the number correctly) there were several different versions of the same phone, with different firmware releases, Nokia would push out a release and then the Telcos would sit on them for months. The telcos had no incentive to skin and customise software for phones which they no longer sold, why would they? OS updates have to come from the hardware vendor.

        I wonder if there is some legal problem with Google sending out updates which would make them liable for parts of the OS for which the IP is questioned? It surely can't be that they don't have the server infrastructure and bandwidth to deal with it?

      3. wikkity

        Re: 99% of all mobile exploits are on Android

        > What's clear though is that Java sucks monkey balls.

        No what is clear though is that the java _web plugin_ sucks, all other java related software are unaffected by this. This is ancient technology that won't go away. Anyone who still uses applets nowadays should really be switching to something else. For customer facing operations no one has any excuse to still use these, only if you are sitting in a secure network could you justify still using them.

        1. Anonymous Coward
          Thumb Up

          Re: 99% of all mobile exploits are on Android

          @wikkity

          Finally someone who knows what she/he is talking about.

    3. Anonymous Coward
      Anonymous Coward

      Re: 99% of all mobile exploits are on Android

      "Its truly the Windows XP of the mobile world."

      There you go - fixed it for you.

      Windows Phone is actually the most secure mobile OS option at the moment by both Malware and vulnerabilities.

      1. Hans 1
        Coat

        Re: 99% of all mobile exploits are on Android

        >Windows Phone is actually the most secure mobile OS option at the moment by both Malware and vulnerabilities.

        Nobody wants to waste time trying to exploit a vuln in the phones of the two Windows Phone users on this planet, so there might not be any exploits,yet. However, I call crap on "most secure mobile OS" - what are you smoking? I need some of that for my mother-in-law!

        The most secure mobile OS is BB by a whole fscking universe.

        1. AMBxx Silver badge
          Joke

          Re: 99% of all mobile exploits are on Android

          I like my WP. At least if I get mugged, they'll leave me the phone so I can call for help.

          1. MrRtd

            Re: 99% of all mobile exploits are on Android

            Or they will kick you in the face for not have a phone worth stealing.

      2. Anonymous Coward
        Anonymous Coward

        Re: 99% of all mobile exploits are on Android

        Windows Phone is actually the most secure mobile OS option at the moment by both Malware and vulnerabilities

        True. 3 users don't really register on any statistical analysis.

  4. petur
    Mushroom

    Cisco?

    pot, kettle!

  5. Adam 1

    > malware developers in the mobile realm seem laser-focused on Android, with Android users experiencing nearly three quarters of all encounters with web-based malware in 2013.

    Wouldn't that be expected given that android claims about 75% market share? Isn't that like saying Toyotas are less safe than Porsches because they are involved in more accidents?

    1. Anonymous Coward
      Anonymous Coward

      On initial reading that would appear to be the case, but if you go back it says that Android users experience nearly three quarters of all encounters with *web-based* malware.

      That is the users of one mobile platform encounter three quarters of all the malware on the WWW as a whole. That, if true and we've no reason to believe it isn't at least in the correct ball-park, is a pretty disturbing statistic.

  6. Anonymous Coward
    Anonymous Coward

    "In many cases, these enterprises run both versions side-by-side because certain of their applications require a specific Java version to run"

    And that's down to utter incompetence on the part of whoever wrote those applications. I've worked on multi-million LOC Java projects which work without modification when moving from one major version to another. You either have to use a non-public API or deliberately code a version check into your application to prevent it working between say Java 6 and 7. I know many of these applications are certified for a specific version of Java (usually down to a single release) but that's just a revenue generator for the vendor so they can gouge you for a new version if you want to upgrade the Java version you run the app on.

    1. Nick Ryan Silver badge
      Facepalm

      It's worth than utterly incompetent...

      The software that we have here that requires the old, very insecure, unsupported version of Java is written by Oracle.

      1. Anonymous Coward
        Anonymous Coward

        That lisp must be driving you nuts!

        1. Anonymous Coward
          Anonymous Coward

          Igor?

          Thometimeth he forgeth to lithp mathter.

          Précis of a conversation between an Igor and Sam Vimes about why a young Igor with modern ideas should go to the City...

      2. Anonymous Coward
        Anonymous Coward

        That is not a problem provided it uses a Java folder which is not registered as a Browser plugin, or better still not registered with the OS via standard Sun/Oracle installer.

        I have Java 1.5 and 1.6 SDK instances, unzipped to machines for legacy development *, not installed, especially not the JRE, so the browser and OS don't see them, so they are not a security risk.

        * I'd like to stop having to do this, so that don't have to develop legacy API code, but customers can take many years to upgrade main product!

        Never ever run a Java 1.5 or 1.6 JRE installer on a machine, including as part of an SDK install; if you have uninstall that JRE sharpish!

        The latest Java 7 Update 51 now has a compulsory signing and whitelisting mechanism for Applets and Webstart, so anyone who complains about Java now is probably an idiot troll, lazy, or too stupid to upgrade.

        Any organisation which requires an obsolete JRE to be installed for the OS or browser (insecure), should be publically shamed and boycotted until they support and require use of a secure Java 7 revision.

  7. Anonymous Coward
    Anonymous Coward

    Let's make it clear

    Windows desktop - has most malware due to poor underpinnings of the OS, and not its 90% market share and large proportion of clueless users

    Android - has most malware despite its godlike, bulletproof underpinnings, because of its 75% market share and large proportion of clueless users

    I hope that is clear for everyone and we can all keep worshipping our penguin idol.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let's make it clear

      I do have to take my hat off to Google - they've proved what I through would be utterly impossible - in that they have shown there is a rampant market for viruses and malware for Linux. This is no mean achievement.

      Of course, Android is not Linux when it has security problems and is Linux when market share is quoted. Sort of a particle/wave duality...

      </removes tongue from cheek>

      1. Matthew 25
        Thumb Up

        Re: Let's make it clear

        "Of course, Android is not Linux when it has security problems and is Linux when market share is quoted. Sort of a particle/wave duality..."

        Nice!

        1. Anonymous Coward
          Anonymous Coward

          Re: Android is not Linux ..?

          I though although Android runs on top of a linux kernel running on the hardware, the really "Androidy" bits aren't linux at all - Android is a non-linux ui and other applications sitting on top.

          In such a case (ie assuming I'm not wrong), we have to check first where the vunerabilities are: In the linux kernel, or the Android layer on top? If these are Android-layer vunerabilities, you can't blame the linux kernel. If there are linux kernel vunerabilities, you can't blame android. Perhaps in some cases its not as clear, though.

          Clarifications/corrections welcome...

          1. Anonymous Coward
            Anonymous Coward

            Re: Android is not Linux ..?

            You're probably right, but the thing is that the semantic arguments about what is and isn't Linux are just that. Most people in the real world don't care that Linux is really GNU/Linux or Android is really Android/Linux, because Linux or Android is what is really used by pretty much everyone except RMS to mean the code and surrounding ecosystem. If I've got a bug in my CentOS or Debian install in the core software, I'm not going to describe it as a bug in package x, y or z, I'm just going to describe it as a bug in Linux. So would any other reasonable person, the zealoty fanboys who can't stand anything to be wrong with Linux - which is what they call it, until making a semantic change means they can try to sidestep perceived criticism.

            1. Anonymous Coward
              Anonymous Coward

              Re: Most people in the real world don't care that Android is really Android/Linux

              ... and most likely they don't even care its android, its just "a bug in my phone"; but then at that level they might not even be noticing many/most bugs anyway.

              IMO its hardly surprising that linux fans make the android vs linux distinction. After all, they are likely used to a choice of UI (kde, gnome, xfce, twm etc), and will have a preference. And, I'd assume, will probably not regard that UI as "core", although (eg) X is. Of course they find it irritating that "linux" gets blamed for mistakes in Android; because they wouldn't go around blaming "linux" for whatever it is they find wrong with (eg) gnome.

              While many might conflate "bugs in android" with "bugs in linux" they'd be wrong to do so - the distinction isn't mere semantics. However, this does not mean (as you say) that I would expect them to /care/ that they're wrong.

              But, y'know, this is the Register forums we're in - shouldn't we at least make an attempt at keeping such things more carefully argued than would be expected from a "non-IT-ish" phone user?

    2. eulampios
      Linux

      @AC, yes let's make it clear

      Android - has most malware despite its godlike...

      Let's make it clear that most Android malware exist in the minds of AV advertisers and "security researchers". The sheer volume of it they talk about is not very well correlated with the number of infected devices. It's probably hard to reliably estimate those numbers too.

      I would personally judge from the number of complaining acquaintances. Yes, about 70-75% of them use both Android and Windows devices. About 90% of them at least once had suffered a Windows malware (a scareware, desktop hijackers, credentials sniffers, spam-ware etc). I also know it from helping them clean it up or by getting spam sometimes originated from Romania, Ukraine, China and other outlandish places. No one would ever had any unsolicited texting, dialing etc nor any other indication of trojaned Android app installed.

      One reason perhaps is that they have been using Windows longer than they have Android, yet there's an undeniable design superiority Android has over Windows. It's separation and sand-boxing of apps and transparent permission system. Existence of Google Play might be another one (yet still inferior to secure repos/ports most distros use). A simple design that Android has, it's low footprint and the fact that it runs atop of Linux kernel that is widely and actively tested, developed -- all these things are also pretty hard to overestimate.

      No, Linux is not "godlike". You can still make a shitty envelope around it. Given special talents, you can easily put a fly in any ointment. Android is not that case though. On the other hand, no one knows what kind of ointment an NT kernel is with its magic hybrid design and other delicacies.

      BTW, as far as Android is concerned, there hasn't been a single proper Android system or Linux kernel vulnerability exploited in the wild .. yet. Just sayin'....

  8. GrumpyOldMan

    Said it lot of times before. It's why I use a Blackberry.

    1. Anonymous Coward
      Anonymous Coward

      " It's why I use a Blackberry."

      That must be like being the last dodo. Not much chance of getting jiggy with a female Blackberry user, so you'll be extinct soon.

      1. Getriebe

        "That must be like being the last dodo. Not much chance of getting jiggy with a female Blackberry user, so you'll be extinct soon."

        You are a tad wrong.

        http://www.spifftv.com/video.php?id=2168

        South London! Ard! man like Blackberry.

      2. Anonymous Coward
        Anonymous Coward

        female BlackBerry user

        Given where most of them work, your problem is more likely to be that she earns a lot more than you do.

  9. Alan Denman

    Nein Nein Percent IOS

    Meanwhile 99.9% of all IOS malware lies undiscovered.

    Ve have de garden vay of making that AV detector software naff off !

  10. Ilsa Loving

    I'll just leave this right here...

    "The vast majority of mobile attacks involved things like phishing, social engineering lures, or forcible redirects to unwanted websites, rather than direct attacks on the device hardware or operating system."

    In other words, most of the attacks are not technical in nature. They are targetting the biggest security risk of all: The users themselves.

    The fact that they are 'targeting android' is simply because android has the biggest marketshare right now. Of course, it doesn't help that Google is actively taking steps to *prevent* users from protecting themselves. When I was in the market for a new tablet, I was trying to decide between an iPad or a high-end android device. Then I read about how Google 'accidentally' added the privacy features in Android 4.3 and was going to remove them in later versions. That made the decision much easier.

  11. EJ

    And yet the one incident we had centered around Microsoft Silverlight, and not Java. Go figure.

  12. Anonymous Coward
    Anonymous Coward

    Android security flaws?

    Mobile malware isn't a flaw in Android but a flaw in the human working the device, as in don't download and install software from untrusted sources. Lumping them in with zero-day exploits is being disingenuous at its worst.

  13. eulampios

    poorly written malware... I mean scripts on Cisco's site?

    Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.

    So how did they discover it?

    Can't download their report, even after "temporarily allowing all scripts" with NoScript on the linked page.

  14. G 14

    One stupid XEROX bit of software means i have to run Java at work, Minecraft for the spawn means i have to run java at home.

This topic is closed for new posts.

Other stories you might like