Oct 19, 2010 10:47 GMT  ·  By

Security researchers from Microsoft's Malware Protection Center (MMPC) warn of an unprecedented rise in exploitation attempts targeting Java vulnerabilities, especially during the third quarter.

"[…] By the beginning of this year, the number of Java exploits [...] had well surpassed the total number of Adobe-related exploits we monitored," Holly Stewart, senior program manager at Microsoft, writes on the MMPC blog.

However, according to Microsoft's data, the real surge in Java exploitation attempts began during the middle of the second quarter. The numbers started from 500,000 and peaked at well over 6,000,000 during Q3.

This sudden spike can be attributed to mainly three vulnerabilities, which are relatvely old. The most targeted one (3.5 million attacks) was CVE-2008-5353, which was fixed in December 2008.

The second one was CVE-2009-3867 (2,6 million attacks), patched in November 2009 and the third, CVE-2010-0094 (213,000 attacks), addressed back in April.

Stewart says the reason why Java exploits have not been as discussed as PDF or Flash ones, is because intrusion prevention systems (IPS) have a hard time detecting them.

The explanation is that parsing malicious Java code requires a Java interpreter, and Java interpreters are notoriously slow, leading to performance issues.

But, while Microsoft talks about an all-time high number of Java exploitation attempts, the more important aspect is how many of these attacks are actually successful.

Yesterday we reported that while analyzing a live attack using the Zombie Infection Kit, researchers from M86 Security discovered that over 60% of successful exploits targeted two Java vulnerabilities.

Reputed security blogger Brian Krebs, has also wrote about the success of Java exploits in drive-by download toolkits recently.

The main issue here is that users fail to keep Java installations up to date, either because they don't even know that they have it installed or because the Java updater is ineffective.

Security experts advise removing Java if it's not needed or making an effort to keep it updated. Free programs like Secunia's Personal Software Inspector can help with that.

The latest Java Runtime Environment (JRE) version can be downloaded here.