In recent years, Java has become a highly targeted part of the modern computing experience, and it's a trend that continues to grow, according to multiple security vendors.
According to a new report from Kaspersky Lab, there were 14.1 million Java exploit attacks in the one-year period from September 2012 to August 2013, with the bulk of the attacks occurring in 2013. From March to August of 2013, Kaspersky reported that it was aware of 8.54 million Java exploit attacks.
There are a number of reasons why there has been such a high volume of Java exploit attacks in 2013. First of all, there is an attack spike due to the fact that critical vulnerabilities (i.e., ones that can be used in exploits) appear in Java with surprising regularity, Vyacheslav Zakorzhevsky, senior virus analyst at Kaspersky Lab, told eWEEK. For example, in the first quarter of 2013 four of them were discovered: CVE-2013-0422, CVE-2013-0431, CVE-2013-0437 and CVE-2013-1493.
"At the same time, vulnerabilities in, let's say, Adobe Reader and Adobe Flash Player occur much less frequently, and they are more difficult to exploit, for a number of different reasons," Zakorzhevsky said.
The Kaspersky data echoes similar findings from Hewlett-Packard, detailed during a 2013 Black Hat USA talk. Brian Gorenc, manager of the Zero Day Initiative at HP Security Research, told eWEEK that from HP's perspective the increase in Java attacks in 2013 is in large part due to exploit kit authors.
Exploit kits package up known exploits and make them easy for attacks to execute.
"Exploit kit authors seem to gravitate toward Java as a result of the weaknesses being discovered in its sandbox implementation," Gorenc said.
The Kaspersky report highlights the fact that during the September 2012 to August 2013 period, more than 160 new vulnerabilities were detected in Java. The most recent Java security patch came out in mid-October patching 51 new Java vulnerabilities.
Although there is no shortage of new Java vulnerabilities, according to HP's research, exploit kit authors seem to be going after existing unpatched systems. Gorenc said that what he is seeing are vulnerabilities discovered in 2012 that are still successfully used today.
"By far, the most common vulnerability type being leveraged by the exploit kits are sandbox bypass weaknesses," Gorenc said. "Attackers prefer these weaknesses in Java as their exploits don't have to bypass operating system-level protections that are in place to stop memory corruption vulnerabilities from being exploited."
Kaspersky's data confirms that many users are still running older unpatched versions of Java on their devices. Only 42.5 percent of the users in the Kaspersky report were found to be running the latest Java version. That said, Zakorzhevsky noted that more than 99 percent of detected attacks are attempts to launch a Java exploit on a PC with antivirus installed.
"Often the attempts happen even if the latest version of Java is installed because attackers do not always check the version of Java," Zakorzhevsky added.
HP's Zero Day Initiative (ZDI) buys security vulnerabilities from researchers and has been doing a brisk business in Java. Gorenc said that ZDI's submission rate for Java vulnerabilities has been consistently high over the last three years.