Blog archive

Java Exploits Up in 2010, Cisco Says

Cisco Systems says Java vulnerabilities are now exploited more often than holes in Adobe's Acrobat and Reader applications.

The networking giant's 2010 Annual Security Report states that in January 2010, Java exploits accounted for only 1.5 percent of Web malware blocked by the company's ScanSafe software. By November, that number had jumped to 7 percent, Cisco says. Meanwhile, PDF exploits were declining. In January, they totaled just over 6 percent of Web malware blocked by ScanSafe, and by November that number had dropped to just 2 percent.

Java, Adobe's Reader and Acrobat, and Flash were the most common attack targets during the first half of 2010, the report found.

Why do the black hats have a new favorite target? One possibility, Cisco suggests, is the increased availability of public Java exploit code and the decreased availability of public Adobe Reader and Adobe Acrobat exploits. Also, end users are beginning to favor alternative PDF readers, and those who still prefer Adobe's software are tending to disable JavaScript and Flash. Consequently, PDF exploits simply aren't succeeding as often.

"Online criminals pay close attention to the success and failure rates of their exploits," the report states. "As of late 2010, it became clear that they feel Java is a gold mine."

Flaws in Java have made it "a promising target for criminals," the report states. The Blackhole, Crimepack, and Eleonore exploit software packages, for example, make heavy use of Java. All three are available for sale.

On of Java's strengths -- its multiplatform interoperability -- is also a weakness. It makes it easier for scammers to distribute malware across several platforms and devices (including mobile gear) running Java. And because Java works in the background, users tend not to keep track of necessary security updates. It's easy enough for criminal hackers to configure malware to check for older versions of Java during exploits.

"Cybercriminals aim their campaigns at software programs, devices and operating systems where they can reach the widest net of potential victims," the report states. "...At this point, Java appears to be the greater threat."

I would love to hear from Java jocks on this report. Check it out and let me know what you think.

Posted by John K. Waters on February 1, 2011