Microsoft warns of "unprecedented" Java exploitation

By on
Microsoft warns of "unprecedented" Java exploitation

Six million attacks during the third quarter of 2010.

The number of attacks on vulnerable Java code spiked during the third quarter of the year and have reached “unprecedented” levels, a Microsoft malware expert said.

The increase was largely attributable to attacks on three Java vulnerabilities, all of which have patches available, Holly Stewart, senior program manager at Microsoft, wrote in a blog post.

But despite the fixes being available from Oracle, the number of attacks against the flaws increased from hundreds of thousands per quarter to more than six million during the third quarter of 2010, Stewart said. Even by the start of the year – months before the spike – Java exploits already well outnumbered Adobe-related exploits.

“Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it,” Stewart wrote. “Now that our eyes are open, it is time for us to start reassessing yet another ubiquitous technology that attackers have found they can exploit."

The number of Java vulnerabilities started “increasing dramatically” in 2008, Stewart said. However, up until recently, the exploitation of Java flaws has not garnered serious attention among those in the security community. 

Intrusion detection and prevention system vendors, which typically publicise new types of exploitation, have a difficult time parsing Java code, and as a result, might not have noticed the large number of attacks, Stewart said. Anti-malware vendors, meanwhile, have missed the surge in Java attacks because they place much of their focus on defending against common malware families, such as Zeus.

The huge uptick in attacks serves as a reminder about the importance of applying security updates for all software, Stewart said.

Just last week, Oracle released a batch of security fixes for Java. The update included 29 fixes across Java SE and Java for Business products. Fifteen of the Java flaws earned the highest score of 10 on the company's Common Vulnerability Scoring System (CVSS).

See original article on

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?