As predicted at the end of 2012 and proved by the ever expanding use of exploit kits, vulnerabilities in popular and widespread software such as Java and Adobe’s Acrobat Reader and Flash top the list of the most exploited by cyber crooks.
Zero-day vulnerabilities are less of a problem than old ones – in fact, given that many people still use older, vulnerable software versions of the software, wielding exploits for zero-days is practically unnecessary for your average cyber crook that goes after money.
And the situation is about to get a lot worse, says Trend Micro Threat Communications Manager Christopher Budd.
“We are seeing attacks targeting unpatched vulnerabilities in Java 6, a widely-deployed but no-longer supported version of Java. And we are seeing an increase in attack sophistication with attackers carrying out lower level attacks against the Java Native Layer,” he writes.
Oracle ended support for Java 6 in February 2013, which means no more security fixes. “While a vendor ending support and no longer providing security fixes isn’t a new thing, the fact that more than 50% of users out there are still running Java 6 makes this an unprecedented situation,” he points out.
Following the discovery of the widespread active exploitation of a Java zero-day in January 2013, several security experts have urged users to disable Java if they don’t need it. A few month earlier, Apple has decided to leave the updating of Java 7 to Oracle and to uninstall its Java applet plug-in from all web browsers (users could download it afterwards from Oracle if they wanted to).
Nevertheless, there are still some three billion devices out there still using Java, and over half of them are running the flawed Java 6.
“And now we are seeing the first instance of active attacks against this large pool of vulnerable targets. With the JAVA_EXPLOIT.ABC attack targeting CVE-2013-2463 we have a patched Java 7 vulnerability that’s unpatched on Java 6 and being attacked. While the attacks aren’t widespread yet, it has been incorporated into the Neutrino Exploit Kit which points to a high likelihood of increasing attacks against this vulnerability,” Budd shared, adding that this is just the first “in what is sure to be an ongoing series of attacks against unpatched Java 6 vulnerabilities.”
He urges Java users either to disable it if it’s not needed, or to update it to the latest version. If neither of these things are possible, other active protections should be considered.
He also worries that with the upcoming retirement of Windows XP which is predicted to be still used by some 33 percent of Windows users by April 2014 and is currently the most often compromised version of the OS, the pool of potential victims will become even larger.