'Unprecedented wave' of Java exploits hits users, says Microsoft
Java makes a tempting target, adds Symantec
Computerworld - Microsoft said Monday that an "unprecedented wave" of attacks are exploiting vulnerabilities in Oracle's Java software.
According to a manager at Microsoft's Malware Protection Center (MMPC), attempts to exploit Java bugs have skyrocketed in the past nine months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter.
"Some of our exploit 'malware' families were telling a scary story ... an unprecedented wave of Java exploitation," said Holly Stewart, a senior program manager at the MMPC, in a post to the team's blog Monday.
Stewart went on to call the jump in Java attacks "scary" and added, "The spike in exploitation was surprising to say the least."
Stewart noted that the bulk of the attacks in the quarter that ended Sept. 30 were exploiting just three Java vulnerabilities, all of which had been patched months or even years ago.
More than 3.5 million of the more than 6 million attacks, for instance, tried to exploit a Java Runtime Environment (JRE) flaw that was patched in December 2008. More than 2.6 million additional attacks targeted a stack-based buffer overflow in Java and JRE in December 2009.
Stewart had a theory why the massive increase in attacks went unnoticed, basing it on what she claimed was "Java blindness" on the part of vendors that produce and sell intrusion-detection and -prevention software, which is designed to sniff out and stop exploits before they reach a company's computers.
"IDS/IPS vendors ... have challenges with parsing Java code," Stewart alleged. "Think about incorporating a Java interpreter into an IPS engine. ... [T]he performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness."
It makes sense for attackers to work up exploits against Java vulnerabilities, said Marc Fossi, the director of Symantec's security response team. "Since Java is both cross-browser and cross-platform, it can be appealing to attackers," he said via instant message, referring to Java's use by every major browser, and on Windows, Mac OS and Linux.
Others offered their own theories about why Java exploits have boomed.
Last month, security blogger Brian Krebs reported that "Crimepack," one of the many multistrike attack kits hackers use to plant their malware on vulnerable computers, was extremely successful in exploiting a Java flaw patched last April.
According to Crimepack exploit statistics that Krebs found online, 67% of the successful attacks logged by one hacker gang exploited the Java vulnerability.
Attackers using kits like Crimepack typically fire exploits against older vulnerabilities first, explained Symantec's Fossi. "Attack kits tend to include a pretty wide array of exploits targeting the browser, browser plug-ins and other client-side apps," he said. "They typically attempt to exploit older vulnerabilities first. That way the newer exploits aren't seen as much."
Microsoft's Stewart urged users to update Java by applying all available patches. Last Tuesday, Oracle issued a massive 85-patch update that included 29 fixes for Java alone.
Krebs has long offered up stronger advice, telling users to uninstall Java or to at the very least use update tools like Secunia's Personal Software Inspector to automatically install Java security updates.
Oracle did not respond to a request for comment on Microsoft's claims of spiking Java exploits.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Microsoft dips toe in Office unbundling water
- Microsoft plans to patch critical under-attack IE bug next week
- Ballmer regrets not aping Apple sooner
- OS upgrades: Cheap is better than pricey, free is better than cheap
- Update: More top-tier Microsoft execs head for the door
- Microsoft ships Office 2013 SP1 the old-fashioned way
- Microsoft's 'go-low' play puts Windows revenue on the line
- Microsoft: Android Nokia not our call to make
- Gates sells another 20M shares; lead over Ballmer shrinks to nearly nothing
- Hey Microsoft, where's the next Mac Office?
Read more about Application Security in Computerworld's Application Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Riverbed Stingray Application Firewall: Securing Cloud Applications with a Distributed Web Application Firewall Responsibility over IT security is moving away from the network and IT infrastructure and to the application and software architecture itself. IT organizations...
- Web Application Firewalls--Laying the Myths to Rest This paper addresses some of the myths about WAFs and outlines how businesses are optimizing their investment in protecting their ever-evolving web apps.
- PCI DSS Compliance in Cloud Environments This technology analysis addresses the challenges of the evolving cloud security landscape and how organizations can achieve PCI DSS compliance in cloud environments...
- Web Attack Survival Guide This guide will help you protect your organization from external threats targeting your high-value applications and data assets.
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Application Security White Papers |