There has been an “unprecedented wave” of exploits against vulnerabilities in Oracle’s Java during the third quarter of this year, according to data from the Microsoft Malware Protection Center. The software giant provided the following data to back its claims, outlining three specific vulnerabilities (all of which have patches available) that are being exploited en masse:
|2008-5353||3,560,669||1,196,480||A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.|
|2009-3867||2,638,311||1,119,191||Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.|
|2010-0094||213,502||173,123||Another deserialization issue, very similar to CVE-2008-5353.|
As you can see, the first two are particularly worrying: they’ve gone from hundreds of thousands per quarter to millions. The third one is the newest, so it’s possible that it will also do the same.
This development is not terribly surprising if we take into account how often Oracle fixes vulnerabilities in Java that are remotely exploitable without authentication and how Java’s updater is annoying with its prompts, but isn’t exactly the best at actually deploying the required patches.
Over the last few years, the main focus of vulnerability protection has been steadily moving away from the OS and instead to the browser, and the applications that it depends on. Last year, Adobe Reader took the crown away from Microsoft Office as the software with the most vulnerabilities. Brad Arkin, Senior Director of Product Security & Privacy for Adobe Systems, announced in May 2009 that a major Adobe Reader and Acrobat security initiative was underway: code hardening, incident response process improvements, and a shift to a regular security update schedule. Two months ago, Microsoft announced it has been working with the company to give Adobe Reader a Protected Mode.
Java is arguably just as ubiquitous Adobe Reader, it has tens of vulnerabilities patched on a regular basis, and it’s a technology that runs in the background. The latter means users aren’t as inclined to update it. It appears that Oracle is going to have to follow in Adobe’s footsteps if it wants to avoid a serious problem, which could include putting aside its differences with Microsoft and asking for help.