More than a week after Oracle released a critical patch for Java, more than 68% percent of Internet computers are still vulnerable to attacks that exploit these vulnerabilities according to Trusteer. Since 73 percent of Internet users are using Java this may be the biggest security hole on the Internet today.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 29 new security fixes across Java SE and Java for Business products.
One week after it was released by Oracle only 7 per cent of Java users have installed the latest update. This is worrying because the majority of Java users on the Internet are vulnerable to a large and growing number of Java exploits in the wild. According to Microsoft, the vulnerabilities covered by the critical patch provide ‘...an unprecedented wave of Java exploitation...’ Trusteer believes it is the single most exploitable vulnerability on the web today.
“From a security threat standpoint Java is very much like Flash in that it is a ubiquitous technology installed on virtually every computer in the world, which makes an ultimate platform for distributing malware,” said Mickey Boodaei, Trusteer's CEO. “Using vulnerabilities in these applications is extremely efficient since it enables criminals to target more than two thirds of Internet users. Oracle is facing some major security challenges and one of its biggest hurdles is its software update mechanism. For some reason, it is not effective enough in distributing security patches to the field. Adobe experienced the very same problem last year and since then Flash has been the subject of multiple attacks. To date Adobe hasn't managed to overcome the problem although they are trying and have plans to introduce more security features in their future releases.”
According to Trusteer, the Java exploit posted to the Full Disclosure mailing list late last week appears to have been picked up by Russian hackers, who are currently exploiting an iFrame-compromised song lyrics site, which re-routes Internet users to a Russia-based malware server. This multi-level attack vector will have taken time to organise, which leads Trusteer to believe that hackers are now monitoring bug disclosure lists on a regular basis, and then mobilising their resources very quickly to create new zero day exploits.
Trusteer reccommends that enterprises identify all browser add-ons and browser technologies, not just Flash and Java, making sure to block unnecessary services and quickly update vulnerable add-ons and browsers. Use browser security technologies that can minimize and block the threat within the organization. Patch browsers and browser add-ons as soon as fixes are available.