'Unprecedented wave' of Java exploits hits users, says Microsoft

Java makes a tempting target, adds Symantec

Microsoft said Monday that an "unprecedented wave" of attacks are exploiting vulnerabilities in Oracle's Java software.

According to a manager with Microsoft's Malware Protection Center (MMPC), attempts to exploit Java bugs have skyrocketed in the last nine months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter.

"Some of our exploit 'malware' families were telling a scary story ... an unprecedented wave of Java exploitation," said Holly Stewart, a senior program manager with the MMPC, in a post to the team's blog Monday.

Stewart went on to call the jump in Java attacks "scary" and added, "The spike in exploitation was surprising to say the least."

Oracle is a rival of Microsoft 's, most notably in the enterprise database market, where Microsoft 's SQL Server competes with Oracle 's flagship database server software.

Stewart noted that the bulk of the attacks in the quarter that ended Sept. 30 were exploiting just three Java vulnerabilities, all of which had been patched months or even years ago.

More than 3.5 million of the 6-plus million attacks, for instance, tried to exploit a Java Runtime Environment (JRE) flaw that was patched in December 2008. More than 2.6 million additional attacks targeted a stack-based buffer overflow in Java and JRE in December 2009.

Stewart had a theory why the massive increase in attacks went unnoticed, basing it on what she claimed was "Java blindness" on the part of vendors that produce and sell intrusion detection and intrusion prevention systems (IDS and IPS, respectively), software designed to sniff out and stop exploits before they reach a company's computers.

"IDS/IPS vendors ... have challenges with parsing Java code," Stewart alleged. "Think about incorporating a Java interpreter into an IPS engine ... the performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness."

It makes sense for attackers to work up exploits against Java vulnerabilities, said Marc Fossi, the director of Symantec's security response team. "Since Java is both cross- browser and cross-platform, it can be appealing to attackers," he said via instant message, referring to Java's use by every major browser , and on Windows, Mac OS and Linux .

Others posed their own theories about why Java exploits have boomed.

Last month, security blogger Brian Krebs reported that "Crimepack," one of the many multi-strike attack kits hackers use to plant their malware on vulnerable computers, was extremely successful in exploiting a Java flaw patched last April.

According to Crimepack exploit statistics that Krebs found online, 67% of the successful attacks logged by one hacker gang exploited the Java vulnerability.

Oracle patched that Java bug in mid-April, just six days after Google security engineer Tavis Ormandy disclosed the flaw .

Attackers using kits like Crimepack typically fire exploits against older vulnerabilities first, explained Symantec's Fossi. "Attack kits tend to include a pretty wide array of exploits targeting the browser, browser plug-ins, and other client-side apps," he said. "They typically attempt to exploit older vulnerabilities first ... that way the newer exploits aren't seen as much," he said.

Microsoft's Stewart urged users to update Java by applying all available patches. Last Tuesday, Oracle issued a massive 85-patch update that included 29 fixes for Java alone.

Krebs has long offered up stronger advice, telling users to uninstall Java or at the least, to use update tools like Secunia's Personal Software Inspector to automatically install Java security updates.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftOraclesoftwareapplicationsCybercrime and HackingApp Security

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Essentials

James Cook University - Master of Data Science Online Course

Learn more >

Mobile

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >

Exec

Budget

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?