Ex-hacker Jacques Erasmus of Webroot, says careless users make Java an attractive prospect for criminals
The fact that Java runs on a large number of operating systems and is used extensively by the likes of Oracle means it provides attackers with a large number of victims. Those ‘victims’ might sit anywhere from the finance team to the sales division giving cyber criminals access to sensitive data across an entire business. In addition, the software does not automatically update by default and so leaves older versions unprotected on many devices.
The rhino in the room
One of the most prevalent exploits that has been observed to date is JavaRhino, which takes advantage of a vulnerability in the Java Runtime Environment (JRE), Rhinoscript.
Unfortunately it is not straightforward to patch the JRE on a weekly or even a bi-monthly basis and the delay is likely to result in occasions where systems and people are not working effectively. This is partly why this particular exploit has proved to be very effective at infecting systems by running unauthorised code and executing malicious payload in insecure environments.
The fact that Blackhole developers were able to update the framework with a module to easily compromise PCs that were only one month old, demonstrates how complex Java is to secure. With different language versions and bit rate versions to work through, an exploit in Java could remain effective for months, especially as most PC users and businesses can take months to update third-party software.
In addition, we are seeing criminals integrating exploits for new Java vulnerabilities at a much faster pace than ever before. Attackers are even re-using exploit code after patches are distributed, and by modifying that code and applying different obfuscation techniques; attackers are able to avoid detection.
To uninstall or not to uninstall?
It would be logical to call on users to disable Java altogether. Un-patched Java is responsible for a large proportion of successful browser attacks. So why not just remove the vector by uninstalling it?
For those who do not use Java, this would be the appropriate call to action as it reduces the area of attack for exploits and their authors. For others, including many enterprises and banks, a lot of software still runs on Java and so possess known vulnerabilities. This fact requires that users remain diligent about keeping patches updated and protecting themselves by using browsers such as Chrome and Firefox with automatic defences.
In addition, serious action is needed from developers to signify to the cybercriminal community that efforts are being made to protect vulnerable users who continue to be a target. Software developers that deploy plug-ins like Java and Flash or Adobe readers must assume the responsibility to provide timely Java patches to ensure users remain secure. They should consider providing automated updates by default to ensure their large user base remains protected.
In the absence of third-party action, it has been encouraging to see browsers such as Firefox and Chrome starting to prompt the user before allowing Java code to run. These browsers have also started blocking content if a user is running an out-dated version of Java which is providing a welcome layer of defence. For users who want to remain vigilant against these exploits, the best protection is to ensure the latest version of the Java JRE is used (currently version 7, update 5 released in June 2012). It is also essential to run an antivirus to ensure you have a strong layered defence in place to protect against these exploits.
What we are seeing now is the maturity in the exploit kit framework model for malicious code delivery. The Blackhole exploit kit has gained a huge amount of exposure within the media and the underground and is by far the most popular exploit kit available, allowing for infections to be deployed to a large number of end users with ease.
We will continue to see cyber criminals refine the exploit kit delivery model, making exploits more effective as well as making it easier and more accurate to target specific types of traffic. For the time being, the best route to Java protection would be to patch it, disable it or demand for better protection.
Jacques Erasmus is chief information security officer at Webroot.
Think you’re a security pro? Try our quiz!