Java continue to take hits as hackers launch attacks exploiting vulnerabilities in Oracle’s software in record numbers, new research shows.
Up to half of all attacks detected and blocked by Microsoft’s security software over a 12-month period were Java exploits, said Tim Rains, a director at Microsoft’s Trustworthy Computing group, citing research from a report.
Altogether, Microsoft said it stopped more than 27 million Java exploits from mid-2010 through mid-2011. Most of those exploits targeted long-ago-patched vulnerabilities, Rains said.
The most commonly-blocked Java attacks — over 2.5 million of them — in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the full 12-month stretch was an exploit of a bug patched in early December 2008, nearly three years ago.
Other bugs on the actively-exploited list ended up quashed in November 2009 and March 2010.
Microsoft’s findings were no surprise to outside security researchers.
“Most [Windows] machines are just not up-to-date with Java,” said Wolfgang Kandek, chief technology officer at Qualys, a California developer of security risk and compliance management software and services.
Qualys regularly mines data from the customers’ machines it protects to get a feel for updating practices. And for Java, those practices are pathetic.
“Java updates lag behind seriously,” said Kandek. “Eighty-four percent of the machines we see don’t have the June 2011 Java update installed, 81% don’t have the February 2011 update and 60% don’t have the March 2010 update.”
Qualys doesn’t have enough scanning data yet to measure the patch rate for the October 2011 update, Oracle’s latest, but Kandek estimated as many as 90% of Windows PCs hadn’t deployed those fixes.
Enterprises typically patch vulnerabilities in Microsoft’s Windows much faster, Kandek continued, citing a “half-life” – meaning users end up patching half of all machines — of 29 days for run-of-the-mill Windows bugs. Critical patches deploy much quicker: Their half-life is 15 days.
The pervasiveness of Java is one explanation for the high volume of attacks exploiting its bugs, said Andrew Storms, director of security operations for nCircle Security.