Java developers used less frequently, but it still often remains on the computer, and is increasingly becoming a target of criminals.
Why attack Java? Its prevalence and a large number of older versions that work on computers that make it easy target for hackers. The numbers speak for themselves: according to Qualys for about eighty percent of large systems an old version of Java. Beginning with the third quarter of 2010, Microsoft detects and blocks attempts to use the 6.9 million Java vulnerability in the quarter. Total hackers were taken 27.5 million attempts to use exploits, vulnerabilities designed for Java.
In total, the world’s three billion devices use Java, and about 80% of browsers. At the same time, some of the security-savvy users disable or remove it as a precaution.
Developers are widely popular Metasploit tool for testing last week added a new module for the latest attack, which exploits the recently patched a vulnerability in the Java implementation of Oracle, Rhino.Error in Oracle Java SE JDK and JRE 6 Update 7 and 27, as well as in earlier versions, was recently uncovered by researchers here and there , and then quickly sold out of crimeware-kit’am.
“Java is everywhere and no one updates it properly,” – said H D Moore , founder and chief architect of Metasploit and CSO at Rapid7. ”Very few companies to update it on their computers.”
“Oracle offers auto-update for Java, but it requires the user to have administrative privileges, which most companies do not allow” – he added.
Director of the Microsoft Trustworthy Computing Tim Rains said earlier in the blog, which patched the bug in Oracle Java have been in use for months. ”Vulnerabilities in Oracle Java software are relatively large attacks for the past several months, and, as I mentioned, updates for these vulnerabilities have been available for some time,” – said Rains. ”If you have not updated Java in your environment, you should evaluate the current risks.”
“Among other things, the organization must be aware of what their systems can be installed multiple versions of Java”, – he wrote.
Error in Oracle Java, which was patched last month, essentially allows Java applets to run arbitrary code outside the sandbox Java. Moore of Rapid7 said that the so-called exploit java rhino, which runs on multiple platforms, including Windows, iOS and Linux, works in the background, without betraying their presence to the user, who was the victim of drive-by attack. It is interesting that Linux is currently the most vulnerable to this exploit the platform: “Oracle made a patch, Apple released an update to the software level, but most vendors have not released anything Linux,” explained Moore.
Typically, this penetration is used as the first stage of a multistage attack, aimed at downloading an executable file or the installation of the bot.
Wolfgang Kandek, CTO of Qualys said that the presence of a Metasploit exploit the latter will help to raise awareness about the risks associated with legacy applications, Java. ”The benefit from the availability of this exploit in Matsploit is that now the good guys are able to demonstrate how this attack,” – added Kandek.
A considerable part of organizations that have been installed outdated version of Java, as it turned out – big business.”Typically, there is no effective process of updating Java. It just did not notice,” – he said.
How about completely disable Java? Kandek said that he does not use without it is quite possible to exist. ”But some companies it is needed, but they need a way to make sure their systems work the latest versions of Java”, – he added.