I have long urged readers who have no need for Java to remove the program, because failing to keep this software updated with the latest security patches exposes users to dangerous, ubiquitous attacks. In this blog post, I’ll show readers how attacks against Java vulnerabilities have fast emerged as the top moneymaker for authors of the best-selling “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities.
Take one look at the newest kit on the block — “Blackhole” — and it is obvious that Java vulnerabilities continue to give attackers the most mileage and profit, and have surpassed Adobe flaws as the most successful exploit vehicles.
I spoke briefly via instant message with the developer of this Blackhole kit (pictured at right), and he assured me that these images were taken from a working installation. The screen shot here shows the administration panel for this exploit pack, which lists the number of hits (хиты) and downloads (загрузки). The statistics show that on average this kit finds a working exploit that it can use to install malicious software on a visiting host about 10 percent of the time.
Granted, as exploit pack administration pages go, this one is very young (13,289 hits at the time this screen shot was taken), but already some patterns emerge from the data. For example, we can see that Java vulnerabilities are by far the most useful, comprising more than 90 percent of all successful exploits.
This pattern is not confined to Blackhole. Have a look at the following three screen shots, taken from the exploit results pages of three different working installations of SEO Sploit Pack, another common exploit kit. All three screen shots clearly show Java vulnerabilities are the most productive, accounting for between 50 and 65 percent of malware installs or “loads” (thanks to Malwaredomainlist.com for help on this).
I believe that there are two reasons for this pattern: First, Java’s maker, Sun — now part of Oracle Corp. — for too long considered itself an enterprise software company, and chose to ignore that its software also is installed on something like 85 percent of the desktop computers on the planet (and 75 percent of Krebsonsecurity.com readers, according to Google Analytics). Also, it seems that many consumers simply aren’t aware that they have this software installed, or that it needs fairly frequent updating.
Adobe has taken some lumps over the past year for the number of critical vulnerabilities that hackers have found and exploited in its software. But for some reason, Java seems to get a pass from the tech and security press, even though Java flaws consistently are found to be the most useful for attackers who wield these automated exploit kits.
If you don’t use Java, consider removing it. You can always reinstall it later if you find you need it. If you do use Java, then please keep it up to date. Java ships with a built-in updater that by default checks for updates on the 14th day of every month. However, this may not be frequent enough to keep users caught up with the latest version. The program can also be set to check for updates every day or every week, although I have found Java’s updater often fails to detect when a new version is available. Alternatively, programs like FileHippo’s Update Checker and Secunia’s Personal Software Inspector can help users stay up to date on the latest security patches.
Update, Oct. 12, 6:19 p.m. ET: Oracle just released an update — Java 6 Update 22 — that fixes 29 security flaws in the most recent version of Java.