Java Attacks Surge in 2013
"We did experience a dramatic submission rate increase in late 2012 and early 2013 with a high of 33 new vulnerabilities in one quarter alone," Gorenc said. "This increased submission rate resulted in some of the largest security patches by Oracle for Java in early 2013." ZDI, Gorenc said, anticipates that attackers in 2014 will continue to favor Java as the initial vector to deliver payloads onto a victim's machine. "The major reason for this preference is that most of Java's install base is running outdated versions, and attackers can continue to leverage the older exploits in their arsenal," Gorenc said. What Should Users Do?For users, Zakorzhevsky recommends that to reduce the risk of infection by Java exploits to turn off the entire Java plug-in. "If a Web application does not work because of this, you may switch on Java (updated to the latest version) at a time when it's needed, and then to turn it off," Zakorzhevsky recommends. Operating system choice is not necessarily a defense. Zakorzhevsky said that while the vast majority of attacks happen on Windows machines, since Java is a cross-platform technology, Mac users may also be attacked. "The famous Flashfake Mac OS botnet was distributed via infected Websites as a Java applet," Zakorzhevsky said. "And Flashfake used same vulnerabilities as in Java exploits that target Windows." While it's always good advice not to browse questionable sites, Zakorzhevsky said that's advice that isn't as relevant today when it comes to Java. "Nowadays, attackers infect Websites of large media publications, banks, software developers, etc.; therefore, any user may get attacked," Zakorzhevsky said. "Therefore, the only effective way to avoid the trap is to reduce the use of Java to a minimum." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
In terms of how to fix the Java exploit situation, Kaspersky's Zakorzhevsky suggests that Oracle adopt a robust silent updating mechanism, similar to the one used in Google's Chrome Web browser. In Google Chrome, users are automatically updated to new versions without the need for any user interaction.