Computerworld — Hackers continue to launch attacks exploiting vulnerabilities in Oracle's Java software in record numbers, Microsoft said Monday.

Citing research from a recent report, Tim Rains, a director in the company's Trustworthy Computing group, said that up to half of all attacks detected and blocked by Microsoft's security software over a 12-month period were Java exploits.

Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011.

Most of those exploits targeted long-ago-patched vulnerabilities, said Rains.

The most commonly-blocked Java attacks -- to the tune of over 2.5 million of them -- in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the full 12-month stretch was an exploit of a bug patched in early December 2008, nearly three years ago.

Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010.

Rain's comments followed a similar message from Microsoft in October 2010, when the company said an "unprecedented wave" of attacks were exploiting Java flaws.

Microsoft's findings were no surprise to outside security researchers.

"Most [Windows] machines are just not up-to-date with Java," said Wolfgang Kandek, chief technology officer at Qualys, a California developer of security risk and compliance management software and services.

Qualys regularly mines data from the customers' machines it protects to get a feel for updating practices. And for Java, those practices are pathetic.

"Java updates lag behind seriously," said Kandek, like Rains reiterating a 2010 take . "Eighty-four percent of the machines we see don't have the June 2011 Java update installed, 81% don't have the February 2011 update and 60% don't have the March 2010 update."

Qualys doesn't have enough scanning data yet to measure the patch rate for the October 2011 update , Oracle's latest, but Kandek estimated that as many as 90% of Windows PCs hadn't deployed those fixes.

Enterprises typically patch vulnerabilities in Microsoft's Windows much faster, Kandek continued, citing a "half-life" -- meaning that half of all machines are patched -- of 29 days for run-of-the-mill Windows bugs. Critical patches are deployed even quicker: Their half-life is about 15 days.

The pervasiveness of Java is one explanation for the high volume of attacks exploiting its bugs, said Andrew Storms, director of security operations for nCircle Security, in an interview conducted via instant message.

But its virtual invisibility to users is another.

"Java is not something [most users] interact with ... similar to how Adobe Flash or Reader became the big, but silent, target," said Storms. "It's on everyone's computer, but rarely do you interact with it. [So] from the attackers' perspective, using Java as the silent killer is a smart move. If people don't know what it is or know what it does, they are less likely to update it. As such, you have to imagine there are tons and tons of old vulnerable installs out there."

Continue Reading