Java is the largest malware target according to Microsoft
In a posting on the Microsoft Security Blog, Tim Rains, a director of Microsoft's Trustworthy Computing Group, has written of the huge number of Java exploits being found in the wild. In the second half of 2010 and first half of 2011, between a half and a third of all exploits observed by Microsoft's Malicious Software Removal Tool attacked vulnerabilities in Java – in the Runtime Environment, the Virtual Machine or the Java SE in the Java Development Kit. Rains based his comments on the latest Microsoft Security Intelligence Report.
In the data published by Microsoft there is a major surge in Windows exploits during the second quarter of 2011 (the orange line in the above graph). Extrapolating, this looks set to overtake Java exploits in the third quarter; however, Microsoft states that this surge was due to advantage being taken of a single vulnerability in the Windows Shell, described in CVE-2010-2568. An emergency patch was released by Microsoft in August 2010 to address this problem. The vulnerability affected all supported Microsoft operating systems.
Of the four most commonly detected Java exploits, one was addressed in a security update in December 2008 and another just under a year later, in November 2009. The other two in this group were both addressed in March 2010. The fact that they are still being deployed quite some time after they have been addressed by security updates suggests that many users are not updating their systems as often as necessary. As Rains makes clear in his blog posting, the malware attackers are only likely to continue to deploy exploits if "they continue to get a positive return on investment."
But it is not only exploits of old vulnerabilities that should concern Java users. As has been pointed out on Krebs on Security, a new exploit has emerged that is being built into automated attack tools. The critical vulnerability that this attacks has been addressed in an update, but only the very latest versions of Java are safe from this new exploit. If users are being slow at updating, very large numbers of them are likely to be at risk from this exploit. Users who wish to check whether their system uses Java, and to determine its version number, can make use of the Verify Java Version web page.
- Mozilla considers disabling Java in Firefox, a report from The H.