Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Endless Exploit Attempts Underline Importance of Timely Java Patching

The appearance of a new exploit has helped turn the spotlight this week on a common target of attackers – Java software.

The appearance of a new exploit has helped turn the spotlight this week on a common target of attackers – Java software.

The exploit targets CVE-2011-3544, and has been observed being sold in the cyber-underground as part of the BlackHole crimeware kit. The vulnerability was patched by Oracle in October, but apparently has generated enough interest for the hacker responsible for maintaining and selling BlackHole to offer $4,000 – minus the cost of a license for the kit.

CVE-2011-3544 JavaIn a blog post, Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, wrote that Java’s ubiquity has been the key reason it has become an attractive target for attackers.

“As reported in the latest volume of the Microsoft Security Intelligence Report (volume 11), the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK),” he wrote. “During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits. During this one year period, Microsoft (anti-malware) technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.”

Adding to their efficacy is the fact that organizations often take their time when it comes to patching. Though users could download Java patches directly from Oracle, most enterprises rely on the operating system vendors to provide the patches, explained Jonathan Cran, QA Director of the Metasploit Project at Rapid7. As a result, organizations patch Java sporadically, even though the patches themselves were available directly soon after the release of the vulnerability, he said.

Oracle is patching the vulnerabilities, but they must then be distributed to the systems running the vulnerable software, he said.

“This distribution process isn’t always timely – case in point: Ubuntu Linux, which is still waiting for the update – and is handled differently across the different OSs (operating systems),” Cran said.

“What I’m really getting at is that each OS has made decisions about how to handle the updates for third-party software on their systems, for better or worse,” he continued. “Microsoft has pushed this process to the individual software manufacturer…(and) Apple and Canonical have rolled this functionality into their own Update / QA process. Moving it into the OS update process introduces lag, but also increases reliability that the patch will be eventually installed, especially by enterprise users. For now, Apple has been able to get the update out and appears to be a good model to follow, while Ubuntu users are still waiting. Microsoft Windows users will sporadically receive it over the next month, as the tray icon does its work.”

“This is analogous to the problems we’re seeing on the Android platform, where the OS manufacturer (Google) is creating and shipping updates, but it takes some time for these to be applied to the phones, if they’re ever made available by the phone manufacturer,” Cran added.

Advertisement. Scroll to continue reading.

Despite the challenges, Symantec Security Intelligence Manager Joshua Talbot said people shouldn’t be too quick to jump from Java.

“Individuals and organizations have to weigh their needs against the risk they face from a potential compromise,” he said. “Administrators and users should also remember that there are often many mitigating options available, such as only allowing Java from trusted sites and temporarily disabling Java until patches are available.”

Security Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.