Microsoft Warns Of 'Unprecedented' Rise In Java Exploits

Microsoft warned users about an "unprecedented wave of Java exploitation" in 2010, enabling hackers to use widespread Java vulnerabilities to launch malicious attacks.

Thus far in 2010, Microsoft researchers have seen a significant spike of attacks exploiting Java vulnerabilities that have totaled in the millions, surpassing the total number of Adobe-related exploits this year. Adobe software products are widely considered to be among the most vulnerable to attack.

The rise in Java exploits stems from three critical vulnerabilities, two of which have exceeded the one million mark, despite the fact that all three vulnerabilities have been patched for a while.

The most serious Java flaw occurred as the result of a deserialization issue in Java Runtime Environment (JRE) that allowed attackers to launch malicious code through Java-enabled browsers. The vulnerability, which affected a wide range of platforms including Windows, Linux and Apple Mac OS X, enabled the infection of 1.2 million computers in more than 3 million attacks.

The second most serious vulnerability stemmed from a parsing error that also enabled remote code execution attacks, leading to the infections of an additional 1.1 million computers. The third Java flaw is also a deserialization glitch, similar to the first one, but exploited on a much smaller scale at about 173,123 known attacks.

Next: Experts Cite Reasons For Java Exploits

Microsoft researcher Holly Stewart said in a blog post that researchers began to notice the groundswell of Java vulnerabilities in 2008, attributed, in part, to the program's proliferation and lack of visibility combined with infrequent updating by users.

"Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it," said Stewart. "On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it's running?"

Stewart said that the sharp rise in Java attacks might have gone unnoticed for so long because of their relatively low volume -- essentially trickling in one at a time -- compared to high-volume attacks sourced from botnets such as Zbot, which can infect tens of thousands of users at once.

"So, even small numbers, especially when they're against un-patched vulnerabilities, matter a lot," Stewart said.

Security blogger Brian Krebs first noticed the exponential increase in Java exploits last week, and like Stewart, pointed to the pervasiveness of the application and lack of user awareness regarding updates as being the primary reasons for the uptick.

Next: Oracle Addresses Java Flaws

"Java's maker, Sun -- now part of Oracle Corp -- for too long considered itself an enterprise software company, and chose to ignore that its software also is installed on something like 85 percent of the desktop computers on the planet," he said. "Also, it seems that many consumers simply aren't aware that they have this software installed, or that it needs fairly frequent updating."

Meanwhile, Java vulnerabilities have been getting some attention in recent weeks. Oracle recently unleashed a massive patch comprising a total of 85 updates, 29 of which were dedicated to repairing Java holes. Meanwhile, Oracle gave 15 of the 29 security Java bugs the highest severity ranking of 10, indicating that the flaws could be exploited remotely.

As always, Microsoft urged users to regularly apply updates in order to reduce the risk of being attacked. "Considering that these vulnerabilities all have available updates from Oracle that would prevent these attacks from being successful, this data is a reminder that, in addition to running real-time protection, it is imperative to apply all security updates for software, no matter what your flavor might be."