Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks against companies including Microsoft, Apple, Facebook and Twitter, as well as home users. Oracle has made an effort to respond faster to the threats and to strengthen its Java software, but security experts say the attacks are unlikely to let up any time soon.
Just this week, security researchers said the hackers behind the recently uncovered MiniDuke cyberespionage campaign used Web-based exploits for Java and Internet Explorer 8, along with an Adobe Reader exploit, to compromise their targets. Last month, the MiniDuke malware infected 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries.
The Java exploit used by MiniDuke targeted a vulnerability that hadn’t been patched by Oracle at the time of the attacks, Kaspersky Lab said in a blog post. Vulnerabilities that are made public or exploited before a patch is released are known as zero-day vulnerabilities, several of which have been used in the attacks against Java this year.
In February, software engineers from Microsoft, Apple, Facebook and Twitter had their work laptops infected with malware after visiting a community website for iOS developers that had been rigged with a Java zero-day exploit. The breaches were the result of a larger “watering hole” attack launched from multiple websites that also affected government agencies and companies in other industries, The Security Ledger reported.
Oracle has responded to the attacks by issuing two emergency security updates since the start of the year and accelerating the release of a scheduled patch. It has also raised the default setting of the security controls for Java applets to high, preventing Web-based Java applications from executing inside browsers without user confirmation.
Security experts say this is a good start but think more should be done to increase the adoption rate for updates and to improve the management of Java security controls in corporate environments. More importantly, they say, Oracle should thoroughly review its Java code to identify and fix the basic security issues. They believe Java would be more secure today if Oracle had listened to the security industry’s warnings over the years.
“It’s difficult to say what has been going on internally at Oracle for the past years, but based on an external impression I feel they could have reacted sooner,” said Carsten Eiram, chief research officer at consulting firm Risk Based Security, via email. “I’m not sure Oracle really took the predictions of Java being the next major target seriously.”
It’s unlikely Oracle could have prevented the recent attacks, he said, but it would be in a better position if it had acted sooner to secure its code and add more layers of security.
“I think the current state of Java security is due to the fact that Sun pushed Java very strongly when they still owned it,” said Costin Raiu, director of the global research and analysis team at Kaspersky Lab, via email. “After Oracle purchased Java, perhaps little interest went into this project.”
Oracle acquired Java when it bought Sun Microsystems in 2010. The software is installed on 1.1 billion desktop computers worldwide, according to information at Java.com. Its widespread deployment and cross-platform nature make it an attractive target for hackers. Researchers at Security Explorations, a Polish vulnerability research firm, have found and reported 55 vulnerabilities in the Java runtimes maintained by Oracle, IBM and Apple over the past year, 36 of them in Oracle’s version.
Full Story: Researchers: Java’s security problems unlikely to be resolved soon | PCWorld.