October 18, 2010

Microsoft warns of "unprecedented" Java exploitation

The number of attacks on vulnerable Java code spiked during the third quarter of the year and have reached “unprecedented” levels, a Microsoft malware expert said on Monday.

The increase was largely attributable to attacks on three Java vulnerabilities, all of which have patches available, Holly Stewart, senior program manager at Microsoft, wrote in a blog post Monday.

But despite the fixes being available from Oracle, the number of attacks against the flaws increased from hundreds of thousands per quarter to more than six million during the third quarter of 2010, Stewart said. Even by the start of the year – months before the spike – Java exploits already well outnumbered Adobe-related exploits.

“Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it,” Stewart wrote. “Now that our eyes are open, it is time for us to start reassessing yet another ubiquitous technology that attackers have found they can exploit."

The number of Java vulnerabilities started “increasing dramatically” in 2008, Stewart said. However, up until recently, the exploitation of Java flaws has not garnered serious attention among those in the security community. 

Intrusion detection and prevention system vendors, which typically publicize new types of exploitation, have a difficult time parsing Java code, and as a result, might not have noticed the large number of attacks, Stewart said. Anti-malware vendors, meanwhile, have missed the surge in Java attacks because they place much of their focus on defending against common malware families, such as Zeus.

The huge uptick in attacks serves as a reminder about the importance of applying security updates for all software, Stewart said.

Just last week, Oracle released a batch of security fixes for Java. The update included 29 fixes across Java SE and Java for Business products. Fifteen of the Java flaws earned the highest score of 10 on the company's Common Vulnerability Scoring System (CVSS).

Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.