Java has become virtually unavoidable in the last few years, and it’s installed on hundreds of millions of PCs around the world. A huge number of those installations are vulnerable versions of Java, and this fact has not escaped the attention of attackers, who have made the technology one of their favored targets. In fact, new data from Microsoft shows that Java exploits were the most prevalent in the first six months of 2011, and that attackers often use exploits for bugs that are several months or years old.
Microsoft’s research found that, having spent the time and effort to develop (or buy/steal) an exploit for a specific Java bug, they will continue to use it for as long as it’s effective. Not surprisingly, the attackers don’t seem to be having a difficult time finding PCs with vulnerable versions of Java to exploit. Although Java has been a frequent target for years now, users don’t seem to be doing so well on the updating and patching front.
“Attackers have been aggressively targeting vulnerabilities in Java because it is so ubiquitous. As reported in the latest volume of the Microsoft Security Intelligence Report (volume 11), the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits. During this one year period, Microsoft antimalware technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year,” Microsoft’s Tim Rains wrote in a blog post.
The most commonly exploited Java bug during the first half of 2011 was a flaw in the Java Runtime Environment that was discovered in March 2010 and patched within a couple of weeks. Microsoft’s data shows that exploit attempts against this flaw (CVE-2010-0840) increased ten-fold in the first half of his year.
That’s an old bug, but not nearly as old as the second most commonly exploited one, CVE-2008-5353, a flaw in the Java Virtual Machine, which was first disclosed in December 2008. The flaw was patched the same month, but attackers apparently aren’t running short on target machines that are still vulnerable.