ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft reports 'unprecedented wave' of Java malware exploits

By | October 18, 2010, 11:17am PDT

Summary: According to data from Microsoft’s malware protection center, there has been an “unprecedented wave” of exploits against vulnerabilities in Oracle Sun’s Java software in 2010.

According to data from Microsoft’s malware protection center, there has been an “unprecedented wave” of exploits against vulnerabilities in Oracle Sun’s Java software in 2010.

Microsoft’s Holly Stewart notes that there has been a dramatic spike in Java attacks in the third quarter this year, mostly against these three vulnerabilities:

CVE
Attacks
Computers
Description
CVE-2008-5353
3,560,669
1,196,480
A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867

2,638,311
1,119,191
Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094

213,502
173,123
Another deserialization issue, very similar to CVE-2008-5353.

“The first two, in particular, have gone from hundreds of thousands per quarter to millions,” Stewart said.

The startling data comes on the heels on last week’s massive Java patch that covered 29 critical security vulnerabilities.

follow Ryan Naraine on twitter

According to Oracle, 28 of these vulnerabilities could be remotely exploitable without authentication (over a network without the need for a username and password). The patches are available for Windows, Linux and Solaris users.

According to Oracle’s advisory,  15 of the 29 vulnerabilities carry the maximum 10.0 CVSS severity rating.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Java, Malware, Microsoft Corp., Ryan Naraine, Malware Protection, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
56
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft reports 'unprecedented wave' of Java malware exploits
ebresie@... 24th Oct 2010
Since Java and PDF are not MS products, why are they providing this information? If they wanted to try to make marks they could have said MS product have xx vulnerabilities, but then most current vulnerabilities are still more MS product oriented any way.
View in thread
0 Votes
+ -
That is "Java and PDF", not "Java"
DeRSSS 18th Oct 2010
So we have cheap, low class trick in the headline.
0 Votes
+ -
Contributr
Curious...
StephenChapman 18th Oct 2010
@denisrs

What was so cheap about leaving PDF out of the headline? Look at the colors representing PDF (dark) and Java (light) on the graph. It couldn't be any more clear that the news here pertains to the Java data -- not the PDF data.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
tonymcs@... 18th Oct 2010
@denisrs

The cheap, low class trick is the bloated, slow JRE with its updates every week to fix bugs.

Unless, like me, you actually downloaded this rubbish or it came installed on one of the fringe OSs, you don't have anything to worry about because it was dumped from Windows long ago.

Java, just say no.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Duke E Love 19th Oct 2010
@tonymcs@...
>>Java, just say no.

Say no to Eclipse and NetBeans? pffft. Yeah right.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Jimster480 19th Oct 2010
@denisrs maybe you have an issue reading graphs. Do you see where the java graph goes? Notice the PDF graph? Does it spike into the millions? No.
0 Votes
+ -
just M$ FUD!
Linux Geek 18th Oct 2010
and only windoze has been compromised!
Other OSes are doing just fine.
M$ should change the plate and fix its own mess!
0 Votes
+ -
WRONG!
Joe_Raby 18th Oct 2010
@Linux Geek

Both Mac OS X AND Linux are vulnerable. Learn to read!
0 Votes
+ -
wrong. no antivirus here
theo_durcan 18th Oct 2010
@Joe_Raby
no antimalware, no anti nothing, in the meantime just today a client asked me to recommend him an antivirus for his company. After a quick research I found hundreds of products dedicated to protect Windows. Why so many?
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Joe_Raby 18th Oct 2010
@theo_durcan:

Software has to be classified as a "virus" for antivirus to detect it. Ask any security researcher what kind of attacks Linux clients get, and it's always remote code execution used to steal private data, usually on enterprise systems. Oh, and DoS attacks on web servers. Maybe you've just forgotten about all those high-level attacks?

So tell me, what kind of protection do you have against security holes, aside from patching? Windows has antimalware software as an extra layer, while Linux doesn't, and you want to argue that Linux is better because of that?
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
notsofast 18th Oct 2010
theo_durcan
Pretty simple. There's a market for them and there's a market for AV software, because with 90% (or more) of the Desktops in the world, attacking Windows makes good business sense (if you write malware).
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Lerianis10 18th Oct 2010
@Joe_Raby

Not ALWAYS! Sometimes, scanners are able to 'heuristically' tell when something is dangerous by it's behavior: such as trying to DELETE A WAD OF FILES in a directory or otherwise.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Heatlesssun 18th Oct 2010
@Linux Geek

According to Oracle, 28 of these vulnerabilities could be remotely exploitable without authentication (over a network without the need for a username and password). The patches are available for Windows, Linux and Solaris users.


Wow, you're so biased that you didn't even bother to read the article. Nice.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
kirovs@... 18th Oct 2010
@Heatlesssun
Well, not quite. JAVA applets have no root privs and on a backed up system can do no damage at all and only minor damage on a system that is not backed up.
Learn to think.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Heatlesssun 18th Oct 2010
@kirovs

Huh? Learn to read, I simply quoted the article and in spite of what you're saying the vulnerbilities in still exist *NIX no matter how much damage they may or may not be able to cause.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
De-Void 18th Oct 2010
@Linux Geek - I agree with you. I mean, how could Java be so flawed as to have this many vuln's exploited so quickly? It's OSS, right, so EVERY OSS hacker EVERYWHERE has read and fully understood EVER line of Java's source code. Right?

Right.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
nickdangerthirdi@... 19th Oct 2010
@De-Void actually your wrong, its not open source, its quasi open source, this is why Oracle is suing google for using java in Android, they let out some of the code, but not all of it. and I dont know why everyone seems so surprised every time there is a exploit found in some piece of software, be it M$, or Mac or *nix, nothing is perfect ever, if it was then why would we need to upgrade? what matters is how long it takes to mitigate the threat, either by disabling something or releasing a patch. and for every fix we make, another hole is discovered.. But I do have issues with companies who let a severe exploit go for several months saying they will fix it in next release, *Glares at Adobe*
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Jimster480 19th Oct 2010
@Linux Geek Your a idiot. All OS's are susceptible to Java/PDF exploits. And Java issues are also not MS's Fault. And Windows has less exploits than ever. Its extremely difficult to exploit windows these days, the user has to OK things for you to successfully exploit things.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Duke E Love 19th Oct 2010
@Linux Geek

You, like the makers of your desktop of choice, are clueless.
0 Votes
+ -
All I have to say is "PROVEN!"
Joe_Raby 18th Oct 2010
One common Java applet that came up on no less than *5* computers for service TODAY(!) is some program called "OpenConnection", sometimes titled "OpenStream" or similar naming schemes. It's a Java applet that is described as a "open-source video and audio streaming plugin". It even installs Start Menu shortcuts and a removal program that deletes the shortcuts but leaves the app in the Java folder. THIS PROGRAM IS A TROJAN DOWNLOADER, so don't let your kids this on their system.

Websites are starting to offer this as a "media plugin", and it's spreading via Google Ads now. All it does is open up numerous other Java exploits to trojan plugins.

This is spreading FAST, so get your Java updates immediately, or just remove Java altogether and eliminate the possibility of being exploited by these!
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Stormbringer_57th 18th Oct 2010
The whole thing probably has to do with FSF-backed l33t hax0rz sniping at Oracle after the whole debacle that gave birth to LibreOffice/SkySQL.
0 Votes
+ -
Another one?
Joe_Raby 18th Oct 2010
@Stormbringer_57th

WTF happened to StarOffice?! It was around for years, and Sun at least tried to keep it competitive to Microsoft Office years back, but they lost their focus and it stagnated. Office XP and 2003 leapfrogged it, and now menu-and-toolbar-based office suites (which consist solely of Wordperfect and Ooo-based suites) now look ancient compared to Microsoft Office 2007 and 2010.

Ooo doesn't do anything major to improve productivity. It's still bloated, but it's bloated AND difficult to use. Microsoft Office may have a lot of features, but it's now easy to find (and use) them. Now, you can look at it a few ways. First, you have Microsoft. They're some 10's of thousands of employees, sure. They teams talk to each other? Maybe. Whatever. They created a drastic change in Office 2007, and refined it in 2010.

Now, with OSS, you can either argue that there are thousands of programmers, but nothing really changes drastically, so I would easily argue that voices of change are drowned out. Or, you could say that there are smaller teams working on components. Ok, fine. So then they won't have enough resources to really take it in a different direction from the UI of Office 95. Either way, nothing is getting updated except for buglists. It's far from modernized, which is where it needs to be to attract users.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
msimms 18th Oct 2010
@Joe_Raby
Joe - with open source solutions, there are no "champions"...only "teams". Without a champion, software tends to languish...which is exactly what has occurred here. Need further proof: check on the number of failed open source software initiatives at sourceforge.com. It's incredible.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
Jimster480 19th Oct 2010
@Stormbringer_57th probably. Piss off the hackers and they will own you.
0 Votes
+ -
Loverock, HELP!!!
gfeier 18th Oct 2010
Your expertise is sorely needed!
0 Votes
+ -
LOOK EVERYONE!!! HE MENTIONS ME!!!
Loverock Davidson 18th Oct 2010
@gfeier

YIPPEE!!!
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
cyberslammer 18th Oct 2010
@Loverock Davidson Explain this one away oh uncredentialed one.
0 Votes
+ -
Gotta love Loverock
Uptime461 20th Oct 2010
@Loverock Davidson Love your work, I always get a laugh out of it.
For all the Loverock fans out there:
Crank loved void so
Cooks valid vendor
Involves odd croak
Avoid cloven dorks
0 Votes
+ -
Oh no....
happyharry_z 18th Oct 2010
@gfeier Don't get him started....
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
gfeier 18th Oct 2010
@happyharry_z

Why not? It's so much fun.
0 Votes
+ -
Create licened, bonded CYBER PRIVATEERS to loot the looters?
rick@... 18th Oct 2010
Congress can issue Letters of Marque and Reprisal (Constitution article 1 section 8) like they did in the Revolutionary War. Turn petty thieves' servers into slag or loot big time criminals and split the proceeds 50/50 with the government. Hey, privateers financed and won the revolutionary war for us, so why not modern-day privateers?
0 Votes
+ -
Java emerging as the most buggy technology
honeymonster 18th Oct 2010
Has been in the cards for some time. I guess Apple will soon have to up their ante - they are consistently 6 months behind on critical Java updates, meaning that the bad guys have 6 months to have fun on OS X once they have their tooling ready.
0 Votes
+ -
One does wonder if...
zkiwi 18th Oct 2010
Microsoft is about to release a "new improved, most secure ever" version of .net
0 Votes
+ -
.Net vs Java? Big difference.
Joe_Raby 18th Oct 2010
@zkiwi

The difference is in the management of code. Java is a free-for-all, whereas .Net is not (and for a reason).
0 Votes
+ -
RE: One does wonder if...
honeymonster 18th Oct 2010
@zkiwi

No need to. .NET is already an order of magnitude less vulnerable than Java.
0 Votes
+ -
I guess the suspicion that Microsoft might have...
zkiwi 18th Oct 2010
An ulterior motive for this "shock horror" release was entirely lost on you. Ah well...
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
honeymonster 18th Oct 2010
@zkiwi

If you cared to follow the links in the article you would see that this was reported by (respected) security expert Brian Krebbs long before Microsoft broke the story about *their* observations.

You are assuming ulterior motives where there really is only responsible warning. It is not like Microsoft is asking users to uninstall Java (Brian Krebbs do, though).
0 Votes
+ -
Another system
Joe_Raby 18th Oct 2010
...in with viruses that exploit these holes. Also is a trojan called "Delf" that is caused by a security hole that allows Flash to let outside code into its trusted space - its own Program Files folder.

Guess why.

I'll give you 2 hints: it begins with "A" and ends with "dobe".
0 Votes
+ -
Microsoft fails to mention...
AWolfe_II 18th Oct 2010
that Windows is more vulnerable than Unix-model operating systems for Java exploits because basically every attack gets Windows system privileges. On my MacBook, if a Trojan were to get in and run (somehow bypassing the download quarantine function), it would still run without root privileges.

I don't like the practice of pointing out Windows problems and then leading the reader to infer the problems are the same on Linux and Mac OSX.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
kirovs@... 18th Oct 2010
@AWolfe_II
Nailed it on the head.
0 Votes
+ -
When someone nailed that into his head
Joe_Raby 18th Oct 2010
....he lost a few IQ points.

(he's wrong)
0 Votes
+ -
Clueless
honeymonster 19th Oct 2010
@AWolfe_II

There is no difference between the OSes in this regard. It is in your brainwashed head. Snap out of the RDF.
0 Votes
+ -
All of you Linux and Mac folks are WRONG
Joe_Raby 18th Oct 2010
Just read this:

http://secunia.com/advisories/cve_reference/CVE-2008-5353/

" Description:
The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects"."
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
daikon 18th Oct 2010
@Joe_Raby

And your point is what?

Hooay!
0 Votes
+ -
You Linux people need to learn to read
Joe_Raby 18th Oct 2010
On EVERY system, the exploit gets full user privileges without authentication. If the user has a root/administrator privilege session/process open, the exploit can inherit those permissions. It is the same on EVERY system. Java on Windows is no different - Java applets are run in user mode, NOT "kernel mode" as Linux FUDpackers would have others believe (JUST LIKE LINUX...and Mac OS X).

So Linux is EXACTLY as vulnerable as Windows. Same as OS X. There is NOTHING "inherent" about security in Linux, Unix, or OS X, sorry to say. They are no more secure. Period. End of discussion.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
daboochmeister 19th Oct 2010
@Joe_Raby ... EXACTLY wrong, if the user has done the smart thing and is running the browser under mandatory access control protection (e.g. the AppArmor profile for Firefox is turned on). Then, these exploits are very limited in what they can do, to the point of being trivial.

What? Windows doesn't have a built-in way to protect from all such exploits, enforced from outside the apps and kernel? Wow, sounds to me like it's EXACTLY more vulnerable. EMET is a step in the right direction, but falls way short of true mandatory access controls (in fact, it's not really access control at all).

Now, that Linux distros don't ship with such controls ON by default, THAT is a legitimate complaint.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
lehnerus2000 18th Oct 2010
If RCE and RPE are impossible on Linux based systems, why do I regularly receive patches (for Ubuntu 10.04) to protect me from them?
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
IT Security Geek 19th Oct 2010
@lehnerus2000

For the most part, you don't. The great majority of patches are for user-level apps, most of those aren't remotely exploitable, and those which are can't give root access under any remotely realistic scenario. Exceptions since the end of April: an SSL bug which could be used for a DoS. I think that's about it.

But of course you get patches for userspace bugs, all the time. When webkit (safari/chrome engine) is found to have security bugs, it gets patched on Linux just like on OS/X and Windows. Even if there are zero examples of anyone successfully exploiting the bug, it'd be stupid to leave it unpatched, don't you agree?
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
lehnerus2000 19th Oct 2010
@IT Security Geek
I agree 100% that all software "holes" should be plugged.

Certain people claim that it is inherently impossible (due to superior coding) for RCE and/or RPE to ever occur.
The existence of patches, to prevent these events, seems to indicate that it can occur (under certain circumstances).
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
shellcodes_coder 18th Oct 2010
No flash and java on my windows 7 laptop, unlike OS X and LinSux
0 Votes
+ -
Probably just...
zkiwi 19th Oct 2010
Conficker, Zeus, and a bunch of other fun stuff. After all, you do run Windows, the home of 99.999% of malware.
0 Votes
+ -
RE: Microsoft reports 'unprecedented wave' of Java malware exploits
ebresie@... 24th Oct 2010
Since Java and PDF are not MS products, why are they providing this information? If they wanted to try to make marks they could have said MS product have xx vulnerabilities, but then most current vulnerabilities are still more MS product oriented any way.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix