Unprecedented Spike In Java Exploits Surfaces

This past year something has been brewing in the underbelly of the Internet that has only recently come to light, causing security experts to sit up and taking notice. Exploits on Java have multiplied tremendously in number and they are proving to be incredibly effective. First reported by Krebs On Security last week, now the Microsoft Malware Protection Center (MMPC) has a blog post about the wave of Java exploitation they found when reviewing their gathered monitoring data. In fact, the MMPC discovered that by the beginning of this year the number of exploits on Java code vulnerabilities well surpassed the number of Adobe exploits they monitored.

Three recent vulnerabilities in Java have paved the way for malware exploitation and all three have had patches available for some time. The vulnerabilities are multi-platform (Linux, Mac, Windows) and can allow remote code execution. The MMPC has a table with a few details about the vulnerabilities, what is notable is that two of the vulnerabilities went from hundreds of thousands of attacks per quarter to millions. Another reason that Java attacks are becoming ubiquitous is that they are highly successful and extremely productive. Krebs says that,

Attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities.

An example is the newest exploit kit Blackhole, it can find effective exploits to install malware on a victim about 10% of the time and from that Java yields more than 90% of the successful exploits. Krebs also shows how Java exploits are the most productive in the kit SEO Sploit Pack, accounting for 50-65% of malware installs.

Why is it that Java is so easy to exploit? A couple of factors can be blamed, one is that Java is everywhere but few people know what it is or that it is even installed. Java runs in the background and if users aren’t aware of it they aren’t going to be making a point to update it. The other factor could be mismanagement by Sun, now a part of Oracle Corp, who wanted to be an enterprise software company and they ignored that their software was installed on some 85% of all desktop computers.

Another question is why didn’t anyone catch onto this problem sooner? The MMPC has a theory,

IDS/IPS vendors, who are typically the folks that speak out first about new types of exploitation, have challenges with parsing Java code. Documents, multimedia, JavaScript – getting protection for these issues is challenging to get right. Now, think about incorporating a Java interpreter into an IPS engine? The performance impact on a network IPS could be crippling. So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light. Call it Java-blindness.

Now that we know what is gonig on, what can we do to avoid malware drama? If you don’t need Java, Krebs recommends removing it. Make sure to update Java frequently; in fact, a very important update for Java was just released today with fixes for 15 highly severe vulnerabilities. Updating is easy, Java comes with an auto-updater that checks for updates on the 14th day of every month and it can be set to check more often.

Comments (2)