An unprecedented wave of attacks that exploit weaknesses in Java has gone largely unnoticed by the security community, said a Microsoft malware researcher in a blog post today. Some 6 million attacks against Java occured in the third quarter of 2010, compared to about a quarter of that amount in the quarter prior. This compares to less than 100,000 attacks in the same period on Adobe PDF documents.
1) The Common Vulnerabilities and Exposures (CVE) List's CVE-2008-5353, a Java Runtime Environment hole in the ZoneInfo objects which lets remote attackers to run evil applets in browsers on Windows, Linux, and Mac OS X.. It accounts for more than half the attacks.
2) CVE-2009-3867, a buffer overflow hole that allows malicious code to be slipped into a a long file://URL argument. This accounts for most of the rest of the attacks.
3) CVE-2010-0094, an attack that is somewhat similar to 2008-5353, but which the CVE says is waiting on a response from Oracle. Stewart says this accounted for about 100,000 attacks.
Stewart noticed the phenomenon while collecting statistics for Microsoft Security Intelligence Report volume 9, released last week, she said. That report compiles findings that Microsoft collects mostly through its various anti-malware efforts including from Bing, Windows Live Hotmail, Forefront Online Protection and Forefront Client apps, Windows Defender, Malicious Software Removal tool, Windows Live OneCare and Microsoft Security Essentials. In other words, the statistics in the report have a decidedly Windows-centric viewpoint as most of the data gathered is from Windows machines.
While that report certainly contributes a valuable snapshot of the types of security issues Windows users fend off (or succumb to), I have always considered it a mild public relations vehicle, too. The report tends to show how much Microsoft is improving at security and how much more secure its latest operating systems are compared to the older ones.
But even considering the source, that doesn't mean that Java -- particularly under Oracle's rule -- doesn't have security problems. These were attacks at Java itself, not Javascript. While many antimalware products can stop many kinds of malware from being implanted on systems via these holes, an unpatched hole remains a threat.
Stewart warns:
"Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it. On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it's running? ... Now that our eyes are open, it is time for us to start reassessing yet another ubiquitous technology that attackers have found they can exploit."
Her conclusions are echoed by security blogger Krebs On Security. He reported last week that Java is fast becoming a favorite of for-profit criminal hackers for its money-making abilities. Java exploits are becoming must haves in "exploits kits" -- what Kerbs calls commercial crimeware packages.
The CVE lists 66 known exploits involving Java reported to the agency in 2010 alone. Just to give you some context, this compares to 329 reported for Windows operating systems in 2010 but a mere 7 reported for ASP.Net.
Should Java be treated as the next big criminal hacker playground? Or is this Microsoft researcher raising the alarm for political reasons?