Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Endless Exploit Attempts Underline Importance of Timely Java Patching

The appearance of a new exploit has helped turn the spotlight this week on a common target of attackers – Java software.

The appearance of a new exploit has helped turn the spotlight this week on a common target of attackers – Java software.

The exploit targets CVE-2011-3544, and has been observed being sold in the cyber-underground as part of the BlackHole crimeware kit. The vulnerability was patched by Oracle in October, but apparently has generated enough interest for the hacker responsible for maintaining and selling BlackHole to offer $4,000 – minus the cost of a license for the kit.

CVE-2011-3544 JavaIn a blog post, Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, wrote that Java’s ubiquity has been the key reason it has become an attractive target for attackers.

“As reported in the latest volume of the Microsoft Security Intelligence Report (volume 11), the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK),” he wrote. “During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits. During this one year period, Microsoft (anti-malware) technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.”

Adding to their efficacy is the fact that organizations often take their time when it comes to patching. Though users could download Java patches directly from Oracle, most enterprises rely on the operating system vendors to provide the patches, explained Jonathan Cran, QA Director of the Metasploit Project at Rapid7. As a result, organizations patch Java sporadically, even though the patches themselves were available directly soon after the release of the vulnerability, he said.

Oracle is patching the vulnerabilities, but they must then be distributed to the systems running the vulnerable software, he said.

“This distribution process isn’t always timely – case in point: Ubuntu Linux, which is still waiting for the update – and is handled differently across the different OSs (operating systems),” Cran said.

“What I’m really getting at is that each OS has made decisions about how to handle the updates for third-party software on their systems, for better or worse,” he continued. “Microsoft has pushed this process to the individual software manufacturer…(and) Apple and Canonical have rolled this functionality into their own Update / QA process. Moving it into the OS update process introduces lag, but also increases reliability that the patch will be eventually installed, especially by enterprise users. For now, Apple has been able to get the update out and appears to be a good model to follow, while Ubuntu users are still waiting. Microsoft Windows users will sporadically receive it over the next month, as the tray icon does its work.”

“This is analogous to the problems we’re seeing on the Android platform, where the OS manufacturer (Google) is creating and shipping updates, but it takes some time for these to be applied to the phones, if they’re ever made available by the phone manufacturer,” Cran added.

Advertisement. Scroll to continue reading.

Despite the challenges, Symantec Security Intelligence Manager Joshua Talbot said people shouldn’t be too quick to jump from Java.

“Individuals and organizations have to weigh their needs against the risk they face from a potential compromise,” he said. “Administrators and users should also remember that there are often many mitigating options available, such as only allowing Java from trusted sites and temporarily disabling Java until patches are available.”

Security Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.