The Dark Side Of Java

It's a declining tool on the developer side, but Java remains a major yet oft-forgotten presence on the desktop that is increasingly being targeted by the bad guys.

Why Java as an attack vector? Its pervasiveness and inordinate number of out-of-date versions running out there on desktops are making Java the black hat hacker's choice of late. The numbers say it all: Some 80 of enterprise systems run outdated, unpatched versions of Java, according to data from Qualys. And since the third quarter of 2010, Microsoft has detected or blocked some 6.9 million exploit attempts on Java each quarter, with a total of 27.5 million attempted exploits during that 12-month period.

Overall, 3 billion devices and 80 percent of browsers worldwide use Java. Meanwhile, some security-savvy users are disabling or uninstalling it altogether as a precaution.

Developers of the wildly popular open-source Metasploit penetration-testing tool this week added a new module for the latest Java attack that abuses a recently patched vulnerability in Oracle's Java implementation, Rhino. The flaw in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier versions, which initially was publicized by researchers here and here and then was quickly "productized" into a crimeware kit in the underground, as blogger Brian Krebs discovered. Krebs On Security reported that the attack also was getting rolled into the BlackHole crimeware kit.

"Java is everywhere, and no one updates it properly," says HD Moore, creator and chief architect for Metasploit and CSO at Rapid7. "Very few enterprises update it on desktops."

Oracle does offer an auto-update feature for Java, but it requires admin privileges for the desktop user to use it, something most enterprises don't allow, Moore says.

Microsoft's director of Trustworthy Computing, Tim Rains, earlier this week noted in a blog post that patched flaws in Oracle's Java software have been under siege for months. "Vulnerabilities in Oracle’s Java software have been getting attacked on a relatively large scale for many months and, as I already mentioned, security updates for these vulnerabilities have been available for some time," Rains said. "If you haven’t updated Java in your environment recently, you should evaluate the current risks."

Among other things, organizations need to be aware that they might have multiple versions of Java running, he said.

The Oracle Java flaw, which was patched by Oracle last month, basically lets a Java applet run arbitrary code outside of the Java sandbox. Rapid7's Moore says the so-called java rhino exploit -- which works across multiple platforms, including Windows, iOS, and Linux -- happens in the background, unbeknown to the user hit by the drive-by exploit. Interesting, Linux is most vulnerable to the attack right now: "Oracle patched it; Apple pushed an update at the software level. But most Linux vendors … haven't pushed updates," Moore says.

It's typically used as a first stage in a multistage attack, used for downloading an executable file or installing a bot.

Wolfgang Kandek, CTO of Qualys, says having Metasploit supporting the latest exploit will help raise awareness about the dangers of out-of-date Java apps. "The benefit of having it in Metasploit is that the good guys can demonstrate how this [attack] works," he says.

Many of the organizations found running outdated Java apps in Qualys' customer data were large enterprises, he says. "There tends to be no good process for patching Java. It flies under the radar," he says.

What about disabling Java altogether? Kandek says he doesn't use it, and it's possible to survive without it. "But some companies need it, and they should figure out how to be sure they are on the latest version of it," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.