Hackers launch millions of Java exploits, says Microsoft
Cryin' shame: 60% of Windows PCs lack 18-month-old Java update, adds expert
Computerworld - Hackers continue to launch attacks exploiting vulnerabilities in Oracle's Java software in record numbers, Microsoft said Monday.
Citing research from a recent report, Tim Rains, a director in the company's Trustworthy Computing group, said that up to half of all attacks detected and blocked by Microsoft's security software over a 12-month period were Java exploits.
Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011.
Most of those exploits targeted long-ago-patched vulnerabilities, said Rains.
The most commonly-blocked Java attacks -- to the tune of over 2.5 million of them -- in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the full 12-month stretch was an exploit of a bug patched in early December 2008, nearly three years ago.
Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010.
Rain's comments followed a similar message from Microsoft in October 2010, when the company said an "unprecedented wave" of attacks were exploiting Java flaws.
Microsoft's findings were no surprise to outside security researchers.
"Most [Windows] machines are just not up-to-date with Java," said Wolfgang Kandek, chief technology officer at Qualys, a California developer of security risk and compliance management software and services.
Qualys regularly mines data from the customers' machines it protects to get a feel for updating practices. And for Java, those practices are pathetic.
"Java updates lag behind seriously," said Kandek, like Rains reiterating a 2010 take. "Eighty-four percent of the machines we see don't have the June 2011 Java update installed, 81% don't have the February 2011 update and 60% don't have the March 2010 update."
Qualys doesn't have enough scanning data yet to measure the patch rate for the October 2011 update, Oracle's latest, but Kandek estimated that as many as 90% of Windows PCs hadn't deployed those fixes.
Enterprises typically patch vulnerabilities in Microsoft's Windows much faster, Kandek continued, citing a "half-life" -- meaning that half of all machines are patched -- of 29 days for run-of-the-mill Windows bugs. Critical patches are deployed even quicker: Their half-life is about 15 days.
The pervasiveness of Java is one explanation for the high volume of attacks exploiting its bugs, said Andrew Storms, director of security operations for nCircle Security, in an interview conducted via instant message.
But its virtual invisibility to users is another.
"Java is not something [most users] interact with ... similar to how Adobe Flash or Reader became the big, but silent, target," said Storms. "It's on everyone's computer, but rarely do you interact with it. [So] from the attackers' perspective, using Java as the silent killer is a smart move. If people don't know what it is or know what it does, they are less likely to update it. As such, you have to imagine there are tons and tons of old vulnerable installs out there."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts