Security Experts:

Connect with us

Hi, what are you looking for?



How Can We Put an End to the Mass Java Exploit Era?

An exploit kit is a framework that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that can be invoked through the browser. These kits can be obtained on the cyber black market, where they are sold or rented.

An exploit kit is a framework that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that can be invoked through the browser. These kits can be obtained on the cyber black market, where they are sold or rented.

These kits allow cybercriminals to outsource the infection part of their malware campaign and focus on the development and management of their malicious payload. Therefore, Exploit kits are a highly popular choice for client side exploitation. Dell estimates that “70%-80% of [client side malware] attacks via the Internet now originate from exploit kits and expects to see continued focus and growth of these kits”.

Currently, exploit kits are mostly targeting Java related vulnerabilities. In this article we will dive into the history of exploit kits and their exploitation of other products, in order to find out what should a vendor do to better protect its customers.

Taking a deep dive into the exploit ocean

Last year, Deep Research had published an excellent poster, visualizing the different active exploit kits and the vulnerabilities they are exploiting, clustered by the targeted product.

List of Exploit Kits

Exploit Kit Vulnerabilities’ Exploitation by Vendor (Original image by Deepend Research)

One of the hallmarks of a good visualization is the ability to derive meaningful insights out of it, and this one is no exception. Diving into the deep water depicted by the poster, we can clearly define four distinct eras within the described timeframe:

• Internet Explorer (IE) Exploitation era ( until early 2007)

• PDF Reader Exploitation era (early 2007 – late 2010)

• Flash Exploitation era (late 2010 – mid 2011)

• Java Exploitation era (mid 2011 – present)

By correlating the end dates of the different eras with the relevant product news, an interesting connection between the end of the exploitation era and increased “software genetic diversity” becomes visible.

Internet Explorer (IE) Exploitation era ended on early 2007. On November 2006, Internet Explorer version 7 was pushed as a high priority automatic update, which made the execution of the vulnerable ActiveX depend on further user interaction. Additionally, on the first quarter of 2007, IE dropped from 80% marketshare for the first time.

On the first quarter of 2007, Internet Explorer dropped from 80% market share for the first time The PDF exploitation era ended on late 2010, just when (December 2010) Google Chrome version 8 introduced the PDF sandbox. The Flash exploitation short era was ended on mid-2011 when Chrome introduced (March 2011) the Flash Sand box.

Those who cannot learn from history are doomed to repeat it

A clear corollary of this article, is that creating a greater “gene pool diversity” is vital for protecting the users of a certain product from mass exploitation. The diversity changes the economic equation for the attackers and makes them search other, less diverse environments to attack. Ever since the browser market has moved from the Internet Explorer monopoly to the oligopoly of Google’s Chrome, Firefox and Internet explorer, we see very little large scale direct browser attacks.

Java should follow the example of Flash and PDF and artificially generate such diversity, by shielding the problematic software with a browser implemented sandbox. By following that method, we create genetic diversity as the sandbox implementation varies between different browser vendors and make the attacker to work harder in order to find two holes (original exploit in the sandboxed component plus sandbox exploit) instead of one. Note that this method seems to be effective even when only some of the possible victims are protected. When Google Chrome provided that extra shielding around PDF and Flash, it was enough to drive exploit kits away from the technology.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.