Attackers have been aggressively targeting vulnerabilities in Java because it is so common. Almost all computers have Java installed as it is used by billions of devices, software programs and websites. As reported in the latest volume of the Microsoft Security Intelligence Report (http://www.microsoft.com/security/sir/default.aspx), the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment, Java Virtual Machine, and Java SE in the Java Development Kit. During the one year period starting in the third quarter of 2010 and ending in the second quarter of 2011, between one-third and one-half of all exploits observed in each quarter were Java exploits. An exploit is malicious code that takes advantage of software vulnerabilities to infect, disrupt, or take control of a computer without the user’s consent and usually without the user’s knowledge. During this one year period, Microsoft antimalware technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.
Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years. Once attackers develop or buy the capability to exploit a vulnerability, they generally use the exploit for years, because they continue to get a positive return on investment since many of the users targeted simply ignore, or, never think to update their software.
Details on these Java vulnerabilities:
· The most commonly exploited Java vulnerability in the first half of 2011 was CVE-2010-0840, a Java Runtime Environment (JRE) vulnerability first disclosed in March 2010 and addressed with an Oracle security update the same month. Exploitation of the vulnerability was first detected at a low level in fourth quarter of 2010 before increasing tenfold in the first quarter of 2011.
· CVE-2008-5353 was the second most commonly exploited Java vulnerability in the first half of 2011; it was first disclosed in December 2008. This vulnerability affects Java Virtual Machine (JVM) version 5 up to and including update 22, and JVM version 6 up to and including update 10. It allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside its “sandbox” environment. Sun Microsystems released a security update that addressed the vulnerability on December 3, 2008.
· CVE-2010-0094 was first disclosed in December 2009. The vulnerability affects JRE versions up to and including update 18 of version 6. It allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside its sandbox environment. Oracle released a security update that addressed the vulnerability in March 2010.
· CVE-2009-3867 was first disclosed in November 2009. The vulnerability affects JVM version 5 up to and including update 21, and JVM version 6 up to and including update 16. When an applet that exploits the vulnerability is loaded by a computer with a vulnerable version of Java, security checks may be bypassed, allowing the execution of arbitrary code. Sun Microsystems released a security update that addressed the vulnerability on November 3, 2009.
Vulnerabilities in Java have been exploited on a large scale for months and security updates for these vulnerabilities have been available for quite some time.
· If you haven’t updated Java in recently, you should do so ASAP!
· Keep all software in your environment up to date, not just Windows; assume attackers are targeting vulnerabilities in all prevalent software.
· Run antimalware software from a trusted vendor and keep it up to date.