The number of attacks on vulnerable Java code spiked during the third quarter of the year and have reached “unprecedented” levels, a Microsoft malware expert said on Monday.
The increase was largely attributable to attacks on three Java vulnerabilities, all of which have patches available, Holly Stewart, senior program manager at Microsoft, wrote in a blog post Monday.
But despite the fixes being available from Oracle, the number of attacks against the flaws increased from hundreds of thousands per quarter to more than six million during the third quarter of 2010, Stewart said. Even by the start of the year – months before the spike – Java exploits already well outnumbered Adobe-related exploits.
“Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don’t think to update it,” Stewart wrote. “Now that our eyes are open, it is time for us to start reassessing yet another ubiquitous technology that attackers have found they can exploit.”
The number of Java vulnerabilities started “increasing dramatically” in 2008, Stewart said. However, up until recently, the exploitation of Java flaws has not garnered serious attention among those in the security community.
Intrusion detection and prevention system vendors, which typically publicize new types of exploitation, have a difficult time parsing Java code, and as a result, might not have noticed the large number of attacks, Stewart said. Anti-malware vendors, meanwhile, have missed the surge in Java attacks because they place much of their focus on defending against common malware families, such as Zeus.
The huge uptick in attacks serves as a reminder about the importance of applying security updates for all software, Stewart said.
Just last week, Oracle released a batch of security fixes for Java. The update included 29 fixes across Java SE and Java for Business products. Fifteen of the Java flaws earned the highest score of 10 on the company’s Common Vulnerability Scoring System (CVSS).