Oracle Corp.’s Java outpaced Adobe applications with the most exploited software vulnerabilities according to researchers at Kaspersky Lab, indicating to the channel that the vulnerable platform will require a meaty security arsenal and services for the foreseeable future.
Adobe Reader and Adobe Flash, which had ranked the highest in terms of the number of exploitable vulnerabilities in 2011, came in a respective second and third place behind Java. Altogether, Java security holes were responsible for 50 percent of attacks, while Adobe Reader comprised 28 percent of security incidents involving vulnerability exploits. Windows components and Internet Explorer were only exploited in 3 percent of incidents.
Meanwhile, it’s well known that vulnerability exploits are one of the primary means that cybercriminals distribute malware. In years past, cybercriminals had a wide open playing field with Microsoft Windows and Adobe flaws, which often topped the charts in terms of highest number of vulnerabilities leading to attacks.
Recently that trend experienced a bit of a turnaround, thanks to Microsoft’s monthly Patch Tuesday security bulletins and automatic updates. Likewise, Adobe also served to remove much of the low hanging fruit from the threat landscape with automatic updates and better detection mechanisms that ultimately posed obstacles for cybercriminals looking to gain easy entry.
Consequently, cybercriminals were prompted turn their cannons elsewhere. And in 2012, their target of choice was Oracle’s Java.
And for a lot of reasons. For one, Oracle generally has consistently stayed leagues behind industry counterparts Microsoft, Adobe and even Apple in terms of its security update processes. And for good reason — in the past, it had been Microsoft and Apple, not Oracle, responsible for releasing Java updates tailored to their own operating system. To say that Oracle was a bit green in security arena was a bit of an understatement.
That fact was not lost on cybercriminals, which pummeled Oracle’s Java platform in a series of high-profile attacks throughout the year. Over the summer, a zero-day threat garnered headlines by exploiting a flaw in the Java 7 archive, dropping a malicious applet, dubbed Dropper MsPMs, on affected systems. Once safely dropped, the malware, known as the Poison Ivy Trojan, then communicated with its Command and Control centers based in China and Singapore, according to researchers at FireEye.
And in April, the notorious Flashback Trojan exploited a Java vulnerability that spread on the Mac OS X platform, infecting more than 600,000 machines around the world at its height.
The spate of threats didn’t come without consequence for Oracle’s Java. The Flashback threat ultimately prompted Apple to disable Java by default to reduce the threat’s propagation.
Meanwhile, researchers at Sophos Ltd., F-Secure, Kaspersky Lab ZAO and others called for users to ditch Java altogether until Oracle plugged the Java Archive hole. The Redwood Shores, Calif.-based software firm released a patch, but not before a critical mass of users disabled the program in order to circumvent attack.
Not surprisingly, Java vulnerabilities have represented an endless source of headaches for the channel, which not likely to diminish in the near future. Following Java’s latest zero-day flaw, channel partners scrambled to disable the program for affected customers, while updating patches and beefing up security systems in order to stave off the threat. And it’s not likely that they’ll forget should a similar security fire alarm occur again in the near future.
Down the road, it’s possible that the Java 7 bug, and others, could spur Oracle to improve security processes and incident response times. Historically, unwieldy attacks have prompted Microsoft, Adobe and even Apple to implement regularly scheduled patch updates, and it wouldn’t be unprecedented for Oracle to follow suit, especially as the proliferation of attacks continues to compel users to do without Java altogether.
Until then, however, partners will need to be armed and ready to remediate an exponential rise of Java-related security threats for their customers – a challenge that will likely get worse in 2013 before it gets better.
Leave a Reply