ID: IRCNE20111101325
Date: 2011-11-30
According to “ComputerWorldUK”, hackers continue to launch attacks exploiting vulnerabilities in Oracle's Java software in record numbers, Microsoft said Monday. Tim Rains, a director in the company's Trustworthy Computing group, said that up to half of all attacks detected and blocked by Microsoft's security software over a 12-month period were Java exploits.
Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011. Most of those exploits targeted long-ago-patched vulnerabilities, said Rains.
The most commonly-blocked Java attacks -- to the tune of over 2.5 million of them -- in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the full 12-month stretch was an exploit of a bug patched in early December 2008, nearly three years ago. Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010.
"Most [Windows] machines are just not up-to-date with Java," said Wolfgang Kandek, chief technology officer at Qualys. Qualys regularly mines data from the customers' machines it protects to get a feel for updating practices. And for Java, those practices are pathetic.
"Java updates lag behind seriously," said Kandek, like Rains reiterating a 2010 take . "Eighty-four percent of the machines we see don't have the June 2011 Java update installed, 81% don't have the February 2011 update and 60% don't have the March 2010 update". Kandek estimated that as many as 90% of Windows PCs hadn't deployed those fixes. Enterprises typically patch vulnerabilities in Microsoft's Windows much faster, Kandek continued, citing a "half-life" -- meaning that half of all machines are patched -- of 29 days for run-of-the-mill Windows bugs. Critical patches are deployed even quicker: Their half-life is about 15 days.
The pervasiveness of Java is one explanation for the high volume of attacks exploiting its bugs, said Andrew Storms, director of security operations for nCircle Security, in an interview conducted via instant message. But its virtual invisibility to users is another. "Java is not something [most users] interact with ...", said Storms. "It's on everyone's computer, but rarely do you interact with it. If people don't know what it is or know what it does, they are less likely to update it.
Criminal developers who craft exploit kits are constantly adding new Java exploits to their wares, Kandek continued, to supplement the older-but-still-effective exploits of older bugs. Those kits already have been equipped with exploits of the bugs Oracle patched in October.
Microsoft's Rains also told users that they should update Java, and keep it up to date.
- 2