Java exploits skyrocket to over six million
Ubiquitous Java is today’s most exploited platform, claims Microsoft.
Java exploits have rocketed to over six million in the third quarter of this year, making it the most dangerous software currently running on any computer.
A report from Holly Stewart, a senior programme manager at Microsoft's Malware Protection Centre (MMPC), has shown attacks in the second quarter were just under half a million but a sudden spike started mid-quarter to reach unprecedented levels.
"The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now," she explained in her blog.
The reason for the infection rate was two-fold. Firstly, Java tends to be loaded and then forgotten because it runs invisibly in the background. Secondly, several exploit kits have been produced that simplify exploitation of vulnerabilities in Java.
Former Washington Post reporter Brian Krebs has also pointed out the dangers of Java in his krebsonsecurity.com blog. He has always advised his readers to avoid loading Java unless they find it essential.
"Attacks against Java vulnerabilities have fast emerged as the top money maker for authors of the best-selling exploit kits', commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of web-browser vulnerabilities," he wrote.
The problem is Java has often been overlooked when it comes to patching. Though there has always been an automatic update, it is often turned off or, according to Krebs, sometimes fails to notify when an update becomes available.
Stewart expressed surprise at the lack of publicity for Java exploits but she admitted the routes of attack are numerous and pose a problem for intrusion protection software (IPS).
"Now, think about incorporating a Java interpreter into an IPS engine? The performance impact on a network IPS could be crippling. So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light. Call it Java-blindness."
Last June, Graham Cluley, senior technology consultant at anti-malware firm Sophos, noted an increase in Java exploitation. In his comments at the time he put his finger on the main attraction of Java its ubiquity.
"I've not looked overly hard for a figure but, at JavaOne in 2008, Sun claimed that over 90 per cent of personal computers on the internet have Java. Hardly surprising that the bad guys are adding Java exploits to their toolkit then," he observed.
Java is not only available for virtually all computer operating systems but also pairs with many smartphones, making a massive potential market for exploit kits.
Krebs gave his advice: "If you haven't done so lately, take a moment to see if you have this program installed, and if you do, please make sure it is up to date. Just last week, Oracle issued another update Java 6, Update 22 that fixes at least 29 security flaws in the program."
The state of Salesforce: Future of business
Three articles that look forward into the changing state of Salesforce and the future of businessFree Download
The mighty struggle to migrate SAP to the cloud may be over
A simplified and unified approach to delivering Enterprise Transformation in the cloudFree Download
The business value of the transformative mainframe
Modernising on the mainframeFree Download
The Total Economic Impact™ Of IBM FlashSystem
Cost savings and business benefits enabled by FlashSystemFree Download