Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Endless Exploit Attempts Underline Importance of Timely Java Patching

The appearance of a new exploit has helped turn the spotlight this week on a common target of attackers – Java software.

The appearance of a new exploit has helped turn the spotlight this week on a common target of attackers – Java software.

The exploit targets CVE-2011-3544, and has been observed being sold in the cyber-underground as part of the BlackHole crimeware kit. The vulnerability was patched by Oracle in October, but apparently has generated enough interest for the hacker responsible for maintaining and selling BlackHole to offer $4,000 – minus the cost of a license for the kit.

CVE-2011-3544 JavaIn a blog post, Tim Rains, director of product management in Microsoft’s Trustworthy Computing group, wrote that Java’s ubiquity has been the key reason it has become an attractive target for attackers.

“As reported in the latest volume of the Microsoft Security Intelligence Report (volume 11), the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK),” he wrote. “During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits. During this one year period, Microsoft (anti-malware) technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.”

Adding to their efficacy is the fact that organizations often take their time when it comes to patching. Though users could download Java patches directly from Oracle, most enterprises rely on the operating system vendors to provide the patches, explained Jonathan Cran, QA Director of the Metasploit Project at Rapid7. As a result, organizations patch Java sporadically, even though the patches themselves were available directly soon after the release of the vulnerability, he said.

Oracle is patching the vulnerabilities, but they must then be distributed to the systems running the vulnerable software, he said.

“This distribution process isn’t always timely – case in point: Ubuntu Linux, which is still waiting for the update – and is handled differently across the different OSs (operating systems),” Cran said.

“What I’m really getting at is that each OS has made decisions about how to handle the updates for third-party software on their systems, for better or worse,” he continued. “Microsoft has pushed this process to the individual software manufacturer…(and) Apple and Canonical have rolled this functionality into their own Update / QA process. Moving it into the OS update process introduces lag, but also increases reliability that the patch will be eventually installed, especially by enterprise users. For now, Apple has been able to get the update out and appears to be a good model to follow, while Ubuntu users are still waiting. Microsoft Windows users will sporadically receive it over the next month, as the tray icon does its work.”

“This is analogous to the problems we’re seeing on the Android platform, where the OS manufacturer (Google) is creating and shipping updates, but it takes some time for these to be applied to the phones, if they’re ever made available by the phone manufacturer,” Cran added.

Despite the challenges, Symantec Security Intelligence Manager Joshua Talbot said people shouldn’t be too quick to jump from Java.

“Individuals and organizations have to weigh their needs against the risk they face from a potential compromise,” he said. “Administrators and users should also remember that there are often many mitigating options available, such as only allowing Java from trusted sites and temporarily disabling Java until patches are available.”

Security Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.