In recent years, Java has become a highly targeted part of the modern computing experience, and it’s a trend that continues to grow, according to multiple security vendors.
According to a new report from Kaspersky Lab, there were 14.1 million Java exploit attacks in the one-year period from September 2012 to August 2013, with the bulk of the attacks occurring in 2013. From March to August of 2013, Kaspersky reported that it was aware of 8.54 million Java exploit attacks.
There are a number of reasons why there has been such a high volume of Java exploit attacks in 2013. First of all, there is an attack spike due to the fact that critical vulnerabilities (i.e., ones that can be used in exploits) appear in Java with surprising regularity, Vyacheslav Zakorzhevsky, senior virus analyst at Kaspersky Lab, told eWEEK. For example, in the first quarter of 2013 four of them were discovered: CVE-2013-0422, CVE-2013-0431, CVE-2013-0437 and CVE-2013-1493.
“At the same time, vulnerabilities in, let’s say, Adobe Reader and Adobe Flash Player occur much less frequently, and they are more difficult to exploit, for a number of different reasons,” Zakorzhevsky said.
The Kaspersky data echoes similar findings from Hewlett-Packard, detailed during a 2013 Black Hat USA talk. Brian Gorenc, manager of the Zero Day Initiative at HP Security Research, told eWEEK that from HP’s perspective the increase in Java attacks in 2013 is in large part due to exploit kit authors.
Exploit kits package up known exploits and make them easy for attacks to execute.
“Exploit kit authors seem to gravitate toward Java as a result of the weaknesses being discovered in its sandbox implementation,” Gorenc said.
New Vulnerabilities
The Kaspersky report highlights the fact that during the September 2012 to August 2013 period, more than 160 new vulnerabilities were detected in Java. The most recent Java security patch came out in mid-October patching 51 new Java vulnerabilities.
Although there is no shortage of new Java vulnerabilities, according to HP’s research, exploit kit authors seem to be going after existing unpatched systems. Gorenc said that what he is seeing are vulnerabilities discovered in 2012 that are still successfully used today.
“By far, the most common vulnerability type being leveraged by the exploit kits are sandbox bypass weaknesses,” Gorenc said. “Attackers prefer these weaknesses in Java as their exploits don’t have to bypass operating system-level protections that are in place to stop memory corruption vulnerabilities from being exploited.”
Kaspersky’s data confirms that many users are still running older unpatched versions of Java on their devices. Only 42.5 percent of the users in the Kaspersky report were found to be running the latest Java version. That said, Zakorzhevsky noted that more than 99 percent of detected attacks are attempts to launch a Java exploit on a PC with antivirus installed.
“Often the attempts happen even if the latest version of Java is installed because attackers do not always check the version of Java,” Zakorzhevsky added.
Disclosure
HP’s Zero Day Initiative (ZDI) buys security vulnerabilities from researchers and has been doing a brisk business in Java. Gorenc said that ZDI’s submission rate for Java vulnerabilities has been consistently high over the last three years.
Java Attacks Surge in 2013
“We did experience a dramatic submission rate increase in late 2012 and early 2013 with a high of 33 new vulnerabilities in one quarter alone,” Gorenc said. “This increased submission rate resulted in some of the largest security patches by Oracle for Java in early 2013.”
ZDI, Gorenc said, anticipates that attackers in 2014 will continue to favor Java as the initial vector to deliver payloads onto a victim’s machine.
“The major reason for this preference is that most of Java’s install base is running outdated versions, and attackers can continue to leverage the older exploits in their arsenal,” Gorenc said.
What Should Users Do?
In terms of how to fix the Java exploit situation, Kaspersky’s Zakorzhevsky suggests that Oracle adopt a robust silent updating mechanism, similar to the one used in Google’s Chrome Web browser. In Google Chrome, users are automatically updated to new versions without the need for any user interaction.
For users, Zakorzhevsky recommends that to reduce the risk of infection by Java exploits to turn off the entire Java plug-in.
“If a Web application does not work because of this, you may switch on Java (updated to the latest version) at a time when it’s needed, and then to turn it off,” Zakorzhevsky recommends.
Operating system choice is not necessarily a defense. Zakorzhevsky said that while the vast majority of attacks happen on Windows machines, since Java is a cross-platform technology, Mac users may also be attacked.
“The famous Flashfake Mac OS botnet was distributed via infected Websites as a Java applet,” Zakorzhevsky said. “And Flashfake used same vulnerabilities as in Java exploits that target Windows.”
While it’s always good advice not to browse questionable sites, Zakorzhevsky said that’s advice that isn’t as relevant today when it comes to Java.
“Nowadays, attackers infect Websites of large media publications, banks, software developers, etc.; therefore, any user may get attacked,” Zakorzhevsky said. “Therefore, the only effective way to avoid the trap is to reduce the use of Java to a minimum.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.