Java Vulnerabilities Increasingly Targeted by Hackers
One of the world's most popular programming language, Java was targeted by attackers to infect computers because of it's increasing vulnerabilities. According to security researchers the problem is rapidly increasing if Oracle doesn't do more to secure the product and keep its installation base, up to date.
The higher vulnerability problem of Java was being discussed during the recently held Blackhat USA 2012 which was held from July 16 up to July 26, 2012.
There are large number of computers that were already infected through drive-by-download attacks performed with the help of Web exploit toolkits, malicious Web applications designed to exploit vulnerabilities in widespread browser plug-ins like Flash Player, Adobe Reader and Java.
According to Jason Jones, a security researcher with HP DVLabs, Hewlett Packard's vulnerability research division, a couple of years ago, the most targeted browser plug-ins were Flash Player and Adobe Reader but today's web exploits rely heavily on Java environment.
Some of the most commonly used web exploit toolkits such as Blackhole or Phoenix was discussed during the Black hat 2012. Web exploits trend nowadays depends heavily on Java and new vulnerabilities were recorded at a much faster pace than before.
Security experts also warned that there are cases that the attackers reuse exploit code that gets published online by security researchers after Oracle patches the vulnerabilities. However, they modify it and apply different obfuscation techniques to it in order to evade detection by security products.
Another security researcher from Microsoft Malware Protection, Jeong Wook Oh, stated that the amount of Java malware were increasing over time, based on telemetry.
The things that attracted cyber-criminals to Java exploits because they can have very high success rates, which could rate as much as 80 percent.
Other companies such as Adobe dealt with their vulnerabilities accordingly by improving the update mechanisms for their products and even implementing automatic updates for Flash Player.
Those changes had a direct impact on the overall frequency of attacks targeting the two products and so did other in-depth security measures taken by the company, like the introduction of a SDL (security development cycle), and the implementation of sandboxing technologies.
Sun Microsystem implemented sandbox on Java already that should theoretically keep third-party code contained. However, a single vulnerability can break this security model and allow attackers to execute malicious code directly on the system.
Carsten Eiram, the chief security specialist at vulnerability management firm Secunia stated that Java has some pretty big security problems at the code level. Eiram said that many of the vulnerabilities found in Java are basic ones that could be prevented by a good SDL program.
Another issue that Java should look into is the automatic background update that will provide a lot of benefit if it is implemented by Oracle. The attackers are abusing the time gap between patch release and user updates.
Oracle could have a hard time dealing with vulnerability attacks, because they're not one of the most responsive vendors at the moment. They avoid communicating openly about security issues or confirming their existence, even to security researchers who report vulnerabilities to the company.
Java needs a lot of fixes to cope up with their problems of vulnerabilities. Getting suggestions from security advisers could help them in coping up with the problem.
How about you, are you using Java as your programming language, let us discuss some of your problems involving the language. Just feel free to add your comments below.