Recently I was prompted to update Java components that are installed on one of the personal computers I have at home. As the installation wizard walked me through the steps to install the update, I was reminded how ubiquitous Java is.
Figure: The Java update installer that ran on my personal computer
Attackers have been aggressively targeting vulnerabilities in Java because it is so ubiquitous. As reported in the latest volume of the Microsoft Security Intelligence Report (volume 11), the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits. During this one year period, Microsoft antimalware technologies detected or blocked, on average, 6.9 million exploit attempts on Java related components per quarter, totaling almost 27.5 million exploit attempts during the year.
Figure: the prevalence of different Java exploits by quarter as published in the Microsoft Security Intelligence Report volume 11
Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years. This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.
Details on these Java vulnerabilities:
· The most commonly exploited Java vulnerability in the first half of 2011 was CVE-2010-0840, a Java Runtime Environment (JRE) vulnerability first disclosed in March 2010 and addressed with an Oracle security update the same month. Exploitation of the vulnerability was first detected at a low level in fourth quarter of 2010 before increasing tenfold in the first quarter of 2011.
· CVE-2008-5353 was the second most commonly exploited Java vulnerability in the first half of 2011; it was first disclosed in December 2008. This vulnerability affects Java Virtual Machine (JVM) version 5 up to and including update 22, and JVM version 6 up to and including update 10. It allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside its “sandbox” environment. Sun Microsystems released a security update that addressed the vulnerability on December 3, 2008.
· CVE-2010-0094 was first disclosed in December 2009. The vulnerability affects JRE versions up to and including update 18 of version 6. It allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside its sandbox environment. Oracle released a security update that addressed the vulnerability in March 2010.
· CVE-2009-3867 was first disclosed in November 2009. The vulnerability affects JVM version 5 up to and including update 21, and JVM version 6 up to and including update 16. When an applet that exploits the vulnerability is loaded by a computer with a vulnerable version of Java, security checks may be bypassed, allowing the execution of arbitrary code. Sun Microsystems released a security update that addressed the vulnerability on November 3, 2009.
Vulnerabilities in Oracle’s Java software have been getting attacked on a relatively large scale for many months and, as I already mentioned, security updates for these vulnerabilities have been available for some time. The call to action is:
· If you haven’t updated Java in your environment recently, you should evaluate the current risks. Note: you might have multiple different versions of Java in use in your environment and should evaluate with this in mind.
· Keep all software in your environment up to date, not just Windows; assume attackers are targeting vulnerabilities in all prevalent software.
· Run antimalware software from a trusted vendor and keep it up to date.
 An exploit is malicious code that takes advantage of software vulnerabilities to infect, disrupt, or take control of a computer without the user’s consent and usually without the user’s knowledge.