Java exploits on the rise

Over the last few months we’ve seen a noticeable rise in the number of in-the-wild Java related exploits, some of which are pretty effective. We’ve been detecting most of these as Mal/WebStart-A.

The typical scenario we see is a compromised web page hosting a malicious Java applet which downloads and executes a PE file. So why have the bad guys taken to using Java as an attack vector? Well, why not? It works.

The bad guys only want to put effort into exploits that will provide the biggest return on investment. That means targeting applications that are likely to be running on the majority of potential victim computers.

The common targets in the past included Internet Explorer, Microsoft Office, Windows Media Player and more recently Acrobat reader and Shockwave flash.

Java hasn’t been as obvious a target since it was much easier to deliver the payload to those other applications (a well crafted email containing an interesting-sounding PowerPoint file for example). Java exploits fit nicely into the more modern and sophisticated web based attacks however.

I’ve not looked overly hard for a figure, but at JavaOne in 2008, Sun claimed that over 90% of personal computers on the internet have Java. Hardly surprising that the bad guys are adding Java exploits to their toolkit then.

So what should you do?

Well, as a minimum, visit this page. It is an official Java version checker and if you are out of date please update! You probably should also consider disabling Java in your browser but some exploits just require the runtime to be installed for them to work even if you disable Java in the browser. The most secure approach (if you are sure it won’t break anything) is to just uninstall the whole Java runtime.