Oct 18, 2010 16:44 GMT  ·  By

While analyzing a live drive-by download attack, researchers from M86 Security found that one in ten users visiting the compromised pages were being infected because they had an outdated version of Java installed.

The exploit toolkits used in drive-by download attacks target known arbitrary code execution vulnerabilities in older version of popular applications, like Adobe Flash Player, Adobe Reader, Java or even the browsers themselves.

Successful exploitation results in malware being installed on the visitor's system in a way that is transparent to them.

There are various exploit toolkits on the underground market, some more popular than others and targeting a different number of vulnerabilities.

The exploit pack used in this attack is called Zombie Infection Kit and is neither the most popular, nor the most sophisticated.

The toolkit exploits two Java vulnerabilities, four Adobe Reader ones (via a single PDF document), the Windows XP Help Center (HCP) flaw discovered earlier this year, an old one in IE6 and two in Adobe Flash Player.

According to its control panel, the two Java vulnerabilities accounted for a bit over 60% of all successful infections. This is consistent with numbers seen in other exploit toolkits.

Given that the overall infection rate achieved by this installation of  Zombie Infection Kit was 15.39%, we can conclude that 9% users who landed on the infected pages, were compromised through Java exploits.

This suggests that people are failing to keep this fairly ubiquitous application up to date. The Java Update checker fires up once a month on a random day and at a random hour, making it likely for a lot of people to miss it.

Adding to that is the fact that until Java 6 update 10, released in October 2008, new versions were being installed alongside older ones, for compatibility reasons.

"Java exploits are becoming increasingly useful for web attackers, as many people don’t even know that Java is installed on their machines, or that it may need to be updated. [...]

"We strongly recommend users uninstall Java if they don’t use it, or remove old versions and upgrade to the latest version," the M86 researchers write.