Connect with us

Hi, what are you looking for?



How Can We Put an End to the Mass Java Exploit Era?

An exploit kit is a framework that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that can be invoked through the browser. These kits can be obtained on the cyber black market, where they are sold or rented.

An exploit kit is a framework that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that can be invoked through the browser. These kits can be obtained on the cyber black market, where they are sold or rented.

These kits allow cybercriminals to outsource the infection part of their malware campaign and focus on the development and management of their malicious payload. Therefore, Exploit kits are a highly popular choice for client side exploitation. Dell estimates that “70%-80% of [client side malware] attacks via the Internet now originate from exploit kits and expects to see continued focus and growth of these kits”.

Currently, exploit kits are mostly targeting Java related vulnerabilities. In this article we will dive into the history of exploit kits and their exploitation of other products, in order to find out what should a vendor do to better protect its customers.

Taking a deep dive into the exploit ocean

Last year, Deep Research had published an excellent poster, visualizing the different active exploit kits and the vulnerabilities they are exploiting, clustered by the targeted product.

List of Exploit Kits

Exploit Kit Vulnerabilities’ Exploitation by Vendor (Original image by Deepend Research)

One of the hallmarks of a good visualization is the ability to derive meaningful insights out of it, and this one is no exception. Diving into the deep water depicted by the poster, we can clearly define four distinct eras within the described timeframe:

• Internet Explorer (IE) Exploitation era ( until early 2007)

Advertisement. Scroll to continue reading.

• PDF Reader Exploitation era (early 2007 – late 2010)

• Flash Exploitation era (late 2010 – mid 2011)

• Java Exploitation era (mid 2011 – present)

By correlating the end dates of the different eras with the relevant product news, an interesting connection between the end of the exploitation era and increased “software genetic diversity” becomes visible.

Internet Explorer (IE) Exploitation era ended on early 2007. On November 2006, Internet Explorer version 7 was pushed as a high priority automatic update, which made the execution of the vulnerable ActiveX depend on further user interaction. Additionally, on the first quarter of 2007, IE dropped from 80% marketshare for the first time.

On the first quarter of 2007, Internet Explorer dropped from 80% market share for the first time The PDF exploitation era ended on late 2010, just when (December 2010) Google Chrome version 8 introduced the PDF sandbox. The Flash exploitation short era was ended on mid-2011 when Chrome introduced (March 2011) the Flash Sand box.

Those who cannot learn from history are doomed to repeat it

A clear corollary of this article, is that creating a greater “gene pool diversity” is vital for protecting the users of a certain product from mass exploitation. The diversity changes the economic equation for the attackers and makes them search other, less diverse environments to attack. Ever since the browser market has moved from the Internet Explorer monopoly to the oligopoly of Google’s Chrome, Firefox and Internet explorer, we see very little large scale direct browser attacks.

Java should follow the example of Flash and PDF and artificially generate such diversity, by shielding the problematic software with a browser implemented sandbox. By following that method, we create genetic diversity as the sandbox implementation varies between different browser vendors and make the attacker to work harder in order to find two holes (original exploit in the sandboxed component plus sandbox exploit) instead of one. Note that this method seems to be effective even when only some of the possible victims are protected. When Google Chrome provided that extra shielding around PDF and Flash, it was enough to drive exploit kits away from the technology.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...