Malware operators are always looking for new ways to allow their programs to take control over additional machines. Their primary targets are Windows based machines, because they have the largest install base. However, the operating system has become increasingly difficult to attack, so exploit writers have focused their attention on critical vulnerabilities in 3rd party applications. These 3rd party vulnerabilities usually require user interaction (i.e. browse to a certain web page, open an e-mail, play a media file) to be successfully exploited, but malware operators have been able to get high conversion rates by using social engineering techniques and planting their attacks on trusted web sites. While the first wave of these exploits focused on Windows Office and the second wave on Adobe Reader and Flash products, we are now seeing an increased attention on Java – Java attends to the basic characteristics: it is a widely installed, it has a set of well known vulnerabilities and it has been largely ignored by IT administrators for patching.
Through our BrowserCheck application we have collected data that shows that over 80% of all visiting workstations have Java installed. Of these machines over 40% run a version of Java that has a critical vulnerability, making it the most vulnerable plug-in of all and giving the malware a excellent chance to install itself and control the targeted machine.
A possible solution is to include Java in an existing automated update process. It would be ideal if Oracle/Sun could collaborate with Microsoft to use the well established and robust WSUS update process to distribute fixes to Java. If this mechanism could then be extended to all major software vendors, the Internet would become increasingly safer to use for all of us.