Organizations should move to patch a Java vulnerability being targeted by attackers in the wild, security experts say.
The vulnerability in question is CVE-2012-0507, a remote execution bug patched by Oracle in February. Earlier this month, researchers at Microsoft spotted it being used in attacks to circumvent the sandbox mechanism in the Java Runtime Environment (JRE). Now, security blogger Brian Krebs has reported that cybercriminals have packaged an exploit for the bug into the infamous BlackHole toolkit.
BlackHole has emerged as one of the most widely-used malware kits sold on the Web. According to security firm AVG Technologies, it accounted for more than 80 percent of toolkit detections during the fourth quarter of 2011. Krebs reported this week he had found several posts on underground carding forums stating the exploit has been included in the kit.
Security pros have commented before that the ubiquity of Java has made it an attractive target for attackers. In fact, Microsoft reported in November that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in JRE, Java Virtual Machine (JVM) and Java SE in the Java Development Kit (JDK).
“We see very slow patching rates as far as Java is concerned,” opined Wolfgang Kandek, CTO of Qualys. “In our enterprise statistics, Java is one of the slowest software to be addressed by enterprise customers, in stark contrast to operating systems, browsers and even Microsoft Office productivity applications where patching rates have improved significantly and a large percentage of problems get addressed within the first 30 days.”
“On the consumer side, Java is equally slow in getting updated,” he added. “On average 42 percent of consumer desktops have vulnerable versions of Java installed.”
Statistics from vulnerability management firm Rapid7 tell a similar story based on its analysis of the Java patching habits of Internet users. According to the company, the first month after a Java patch is released the fix is deployed by less than 10 percent. After two months, the number jumps to approximately 20 percent. The highest patch rate for Java last year was 38 percent, which represented the percentage who applied the Java Version 6 Update 26 within three months of its release.
“There is a huge lack of awareness when it comes to an application that runs in the background for the most part,” said Marcus Carey, security researcher with Rapid7. “Some people look at computer programs with the “set it and forget it” mindset. As long it works, they aren’t upgrading anything and are unaware that they could be compromised.”
In addition, some applications used by businesses may only work with older versions of Java, Carey said, requiring these companies to undergo a “significant capital investment” to update the software.
“They are stuck between a rock and a hard place, where they can’t live without the application and can’t afford to upgrade it,” he said.
In those cases, Kandek recommended organizations utilize a whitelisting strategy to limit Java to the “Trusted Sites” in Internet Explorer, which could greatly reduce successful attacks.