Hackers continue to launch attacks exploiting vulnerabilities in Oracle's Java software in record numbers, Microsoft said Monday.
Citing research from a recent report, Tim Rains, a director in the company's Trustworthy Computing group, said that up to half of all attacks detected and blocked by Microsoft's security software over a 12-month period were Java exploits.
Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011.
Most of those exploits targeted long-ago-patched vulnerabilities, said Rains.
The most commonly-blocked Java attacks -- to the tune of over 2.5 million of them -- in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the full 12-month stretch was an exploit of a bug patched in early December 2008, nearly three years ago.
Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010.
Rain's comments followed a similar message from Microsoft in October 2010, when the company said an "unprecedented wave" of attacks were exploiting Java flaws.
Microsoft's findings were no surprise to outside security researchers.
"Most [Windows] machines are just not up-to-date with Java," said Wolfgang Kandek, chief technology officer at Qualys, a California developer of security risk and compliance management software and services.
Qualys regularly mines data from the customers' machines it protects to get a feel for updating practices. And for Java, those practices are pathetic.
"Java updates lag behind seriously," said Kandek, like Rains reiterating a 2010 take. "Eighty-four percent of the machines we see don't have the June 2011 Java update installed, 81% don't have the February 2011 update and 60% don't have the March 2010 update."
Qualys doesn't have enough scanning data yet to measure the patch rate for the October 2011 update, Oracle's latest, but Kandek estimated that as many as 90% of Windows PCs hadn't deployed those fixes.
Enterprises typically patch vulnerabilities in Microsoft's Windows much faster, Kandek continued, citing a "half-life" -- meaning that half of all machines are patched -- of 29 days for run-of-the-mill Windows bugs. Critical patches are deployed even quicker: Their half-life is about 15 days.
The pervasiveness of Java is one explanation for the high volume of attacks exploiting its bugs, said Andrew Storms, director of security operations for nCircle Security, in an interview conducted via instant message.
But its virtual invisibility to users is another.
"Java is not something [most users] interact with ... similar to how Adobe Flash or Reader became the big, but silent, target," said Storms. "It's on everyone's computer, but rarely do you interact with it. [So] from the attackers' perspective, using Java as the silent killer is a smart move. If people don't know what it is or know what it does, they are less likely to update it. As such, you have to imagine there are tons and tons of old vulnerable installs out there."
Some of Qualys' enterprise customers are among those running out-of-date editions, said Kandek. "One issue is internal applications that require older versions of Java," he said.
Qualys' recommendation to companies in that boat: Block Java's use outside the network perimeter.
Criminal developers who craft exploit kits are constantly adding new Java exploits to their wares, Kandek continued, to supplement the older-but-still-effective exploits of older bugs. Those kits already have been equipped with exploits of the bugs Oracle patched in October.
Qualys provides its clients with an exploit mapper that shows which vulnerabilities are being leveraged in such kits. "If they cannot patch every vulnerability, this gives them a list of those that we know are being used in the wild right now," Kandek said.
Others have taken a much more aggressive line on Java.
Noted security blogger Brian Krebs, a former Washington Post reporter, has repeatedly urged consumers to uninstall Java from their Windows machines.
On Monday, echoing Kandek's claim that exploit kits are now armed with attack code that targets Java vulnerabilities Oracle patched in October, Krebs again advised users to scrub the Java plug-in from their browsers.
Microsoft's Rains didn't go that far, instead telling users that they should update Java, and keep it up to date.
"There is just too little focus, even now, on Java and its updates," said Kandek. "It's being exploited ... right now."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.