As many as 4.2 million attacks using Java exploits were repelled by our Automatic Exploit Prevention system between September 2012 and August 2013. This number indicates two points. The first point, of course, is the efficiency of our technology. The second point, unfortunately, is the fact that the quantity of attacks on Java has not been reduced, but vice versa – it has increased. Various Kaspersky Lab products have blocked about 14.1 million attacks exploiting Java vulnerabilities, which is one-third more than from 2011-2012.
Unfortunately, Java has been and remains a headache for all those involved in information security.
There are several reasons for that. Firstly, despite all of its flaws, Java is extremely popular with developers (according to some reports, there are about 9 million people worldwide who use it) sine this language allows them to create cross-platform applications, as they all run in the Java Virtual Machine.
For this reason, Java has spread enormously on all user platforms. Now, it is being employed by more than three billion devices worldwide.
There is also another reason for its popularity: the development of Java started a long time ago, when there was no point warning users about the prevalence of malware or especially exploits; there was no reason to waste time on its security.
It’s no wonder then that last year 50% of attacks using exploits were targeted at Java.
See the general dynamics of the number of attacks using exploits on the chart below:
Since a slight decline in mid 2012, it has been growing. While the other two “favorite” formats for intruders – PDF and Flash – have been, on the contrary, losing “popularity”.
One reason for the growing number of attacks is the fact that between September 2012 and August 2013 there were 160 new vulnerabilities discovered, i.e. twice as much as during the previous 12 months.
A recent Kaspersky Lab’s study on the evolution of Java exploits shows particular growth (+21%) of the number of attacks from March until August 2013. 80% of the attacks occurred in 10 countries. This list is topped off by the U.S., Russia, Germany and Italy.
More than a half of the attacks used exploits related to six well-known groups. In other words, we cannot say that attackers sought to diversify their tools.
What do all these frightening numbers mean for business? First of all, you must understand that attackers deliberately search for Java vulnerabilities, so that the use of applications written in this language is unsafe by itself. It does not mean that all of them should be removed immediately, but you must control them.
Secondly, the statistics show that Java is not just the most frequently attacked software, but also one of the most reluctantly updated. On average, even a month and a half after the release of another corrected version, most users do not rush to upgrade Java on their devices. And if system administrators can update Java centrally within a corporate infrastructure, user devices may be somewhat tricky.
Unfortunately, exploits are a threat even in cases when users are well-versed in IT, aware of the dangers of malware and prompt to update software as soon as new versions are released.
The point is that zero day exploits for new vulnerabilities appear before a developer (in this case, Oracle) learns of the existence of these flaws. Hackers and developers are in a race, but the developers constantly “catch up”. And users are at risk all the time between the detection moment and the update release.
Eventually, exposing oneself to an attack is quite easy just by visiting any legitimate site with a malicious code embedded by hackers.
The surest way to protect against exploits is to use automated tools that block their activity in a preventive mode. Our Automatic Exploit Prevention technology is such a tool.
Despite the diversity of existing exploits they all have several similarities. Besides the fact that they are always written for specific software, exploits also have typical behavior patterns, and operate attakcs similarly.
This is why for the most vulnerable software products and platforms (including Java) AEP enables the “presumption of guilt” mode, so if it tries to download and run an executable file, it becomes a reason for additional checks, including tracking the source of the launch command and verifying the origin of the file being downloaded. If the file’s characteristics are suspicious, then it’s running is automatically blocked.
Here is a good example. In early January an exploit of Java’s zero day vulnerability CVE 2013-0422 was detected. The exploit proved to be extremely efficient with 83% successful attacks. It even got to the point where cyber security experts from US National Security Agency recommended that users should disable the Java plugin in web browsers to protect themselves against malicious attacks that used this previously unknown vulnerability.
At the same time, the statistics of Kaspersky Security Network showed that the users of Kaspersky Lab’s products with AEP technology successfully blocked the exploit on the grounds of behavioral analysis even before the incident was made public.