IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Java exploits skyrocket to over six million

Ubiquitous Java is today’s most exploited platform, claims Microsoft.

Java exploits

Java exploits have rocketed to over six million in the third quarter of this year, making it the most dangerous software currently running on any computer.

A report from Holly Stewart, a senior programme manager at Microsoft's Malware Protection Centre (MMPC), has shown attacks in the second quarter were just under half a million but a sudden spike started mid-quarter to reach unprecedented levels.

"The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now," she explained in her blog.

The reason for the infection rate was two-fold. Firstly, Java tends to be loaded and then forgotten because it runs invisibly in the background. Secondly, several exploit kits have been produced that simplify exploitation of vulnerabilities in Java.

Former Washington Post reporter Brian Krebs has also pointed out the dangers of Java in his krebsonsecurity.com blog. He has always advised his readers to avoid loading Java unless they find it essential.

"Attacks against Java vulnerabilities have fast emerged as the top money maker for authors of the best-selling exploit kits', commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of web-browser vulnerabilities," he wrote.

The problem is Java has often been overlooked when it comes to patching. Though there has always been an automatic update, it is often turned off or, according to Krebs, sometimes fails to notify when an update becomes available.

Stewart expressed surprise at the lack of publicity for Java exploits but she admitted the routes of attack are numerous and pose a problem for intrusion protection software (IPS).

"Documents, multimedia, JavaScript getting protection for these issues is challenging to get right," she said.

"Now, think about incorporating a Java interpreter into an IPS engine? The performance impact on a network IPS could be crippling. So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light. Call it Java-blindness."

Last June, Graham Cluley, senior technology consultant at anti-malware firm Sophos, noted an increase in Java exploitation. In his comments at the time he put his finger on the main attraction of Java its ubiquity.

"I've not looked overly hard for a figure but, at JavaOne in 2008, Sun claimed that over 90 per cent of personal computers on the internet have Java. Hardly surprising that the bad guys are adding Java exploits to their toolkit then," he observed.

Java is not only available for virtually all computer operating systems but also pairs with many smartphones, making a massive potential market for exploit kits.

Krebs gave his advice: "If you haven't done so lately, take a moment to see if you have this program installed, and if you do, please make sure it is up to date. Just last week, Oracle issued another update Java 6, Update 22 that fixes at least 29 security flaws in the program."

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022