Microsoft: ‘Unprecedented Wave of Java Exploitation’

Microsoft Corp. today warned that it is seeing a huge uptick in attacks against security holes in Java, a software package that is installed on the majority of the world’s desktop computers.

In a posting to the Microsoft Malware Protection Center blog, senior program manager Holly Stewart warned of an “unprecedented wave of Java exploitation,” and confirmed findings that KrebsOnSecurity.com published one week ago:  Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.

Image courtesy Microsoft

Stewart said the spike in the third quarter of 2010 is primarily driven by attacks on three Java vulnerabilities that have already been patched for some time now. Even so, attacks against these flaws have “gone from hundreds of thousands per quarter to millions,” she added. Indeed, according to Microsoft’s one-year anniversary post for its Security Essentials anti-malware tool, exploits for a Java vulnerability pushed the Renos Trojan to the top of the list for all malware families (malware and exploits) detected in the United States.

My research shows the reason for the spike, and it precedes the 3rd quarter of 2010: Java exploits have been folded into a number of the top “exploit packs,” commercial crimeware kits sold in the hacker underground that make it simple to seed hacked or malicious sites with code that exploits a variety of browser flaws in a bid to install malware.

Stewart asks, “Why has no one been talking about Java-based exploits?” Then she answers her own question:

Looking back at the chart above, you can see that this exploitation has been happening for some time.  So, why has no one been talking about Java-based exploits?  (Well, almost no one.  Brian Krebs broke the ice this week).

I have a theory about why almost no one has noticed.  IDS/IPS vendors, who are typically the folks that speak out first about new types of exploitation, have challenges with parsing Java code.  Documents, multimedia, JavaScript – getting protection for these issues is challenging to get right.  Now, think about incorporating a Java interpreter into an IPS engine?  The performance impact on a network IPS could be crippling.  So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light.  Call it Java-blindness.

So, if the antimalware people can see it, why aren’t *they* talking about it?  Because, looking at the numbers, Java exploits (and most exploits for that matter) are very low-volume in comparison to the volume of common malware families like Zbot (a family for which we added detection in MSRT just this week).  What we have to remember is that, with exploits, it’s not about volume – they happen in a flash and you have to catch them in the act (with a real-time protection product such as Microsoft Security Essentials) before they open the door to lots of malware.  So, even small numbers, especially when they’re against unpatched vulnerabilities, matter a lot.

If you haven’t done so lately, take a moment to see if you have this program installed, and if you do, please make sure it is up to date. Just last week, Oracle issued another update — Java 6 Update 22 — that fixes at least 29 security flaws in the program.

KrebsonSecurity.com  will continue to post the newest security updates, when they become available. But, your computer installation of Java also includes a built-in updater that you should configure to check for updates as frequently as possible.

Allow me to reiterate my urgent advice from last week:

Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version. The program can also be set to check for updates every day or every week, although I have found Java’s updater often fails to detect when a new version is available. Alternatively, programs like FileHippo’s Update Checker and Secunia’s Personal Software Inspector can help users stay up to date on the latest security patches.

Оставьте комментарий