Greg Sinclair: Java exposed
There has been a marked increase in the number of Java vulnerabilities.
So said Greg Sinclair, associate practice leader for IBM SA, who was presenting at the ITWeb Security Summit 2014 yesterday.
According to Sinclair, there were 58 Java vulnerability disclosures in 2010, and the figure rose to 65 in 2011. He added that the tally went up to 68 in 2012 and skyrocketed to 208 in 2013.
In a survey of other applications' vulnerabilities, Java ranks as the most attacked at 50%; Adobe Reader (22%); browsers (13%) and others (15%), said Sinclair.
Highlighting the increase in vulnerabilities, he said more than half a billion records of personally identifiable information were leaked in 2013.
To exploit Java, attackers mostly made use of the Blackhole Exploit Kit. The kit is, as of 2012, the most prevalent Web threat, where 28% of all Web threats detected by Sophos and 91% by AVG are due to this exploit kit. Its purpose is to deliver a malicious payload to a victim's computer. However, said Sinclair, its creator has been arrested.
He also revealed the Styx Exploit Kit grew in popularity among attackers in 2013 and was successful in exploiting Internet Explorer and Firefox on Windows.
To effectively target end-users, attackers also made use of watering hole attacks where the attacker injects malware on a special interest Web site to target niche users, Sinclair explained, adding that "malvertising" was also used to inject malware on ad networks. The attackers also embedded malicious ads on legitimate Web sites, he added.
In comparison with native applications, Java is much more difficult to defend, as attackers can gain unrestricted privileges or bypass native OS-level protections.
To boost security, major vendors continue to improve patching, Sinclair said, adding that the total amount of unpatched vulnerabilities recorded dropped by 15% in 2013.
In conclusion, Sinclair urged organisations not to forget the basics. "The latest and greatest threat isn't what will get you," he cautioned.