Crackers developers kits to exploit vulnerabilities with focus on Java, because the rate of effective attacks is quite high.
Java vulnerabilities are increasingly exploited by hackers to infect computers and the problem could become biggest case Oracle does not do more to ensure the safety of the product and maintain its current install base, according to security researchers who will talk about attacks Java based on the Black Hat security conference that is taking place in Las Vegas, USA.
A large number of computers are currently infected by drive-by download attacks, carried out with the help of toolkits to exploit – malicious applications designed to exploit vulnerabilities in the browser, usually found in plugins like Flash Player, Adobe Reader or Java.
Java was acquired by Oracle as part of the purchase of Sun Microsystems in 2010. About two years ago, the plugins were targeted Flash Player and Adobe Reader, but many of today’s kits exploit Java, said Jason Jones, a researcher at HP DVLabs security, vulnerability research division of HP.
Jones has followed the development of some of the toolkits used for further exploration on the Web, as the Blackhole or Phoenix, and present his findings at Black Hat on Thursday .
A clear trend is that developers kits exploitation are increasingly focusing on Java, Jones said.They are also integrating tools for the exploitation of new vulnerabilities in Java in a much faster pace than before.
In some cases, attackers exploit code reuse published online by security researchers of Oracle.However, they apply different and modify the obfuscation techniques in order to avoid detection by the security products.
“Overall, we have seen the amount of Java malware to grow over time, based on our telemetry,” said a researcher at the Center of the Microsoft Malware Protection, via e-mail. Researcher is scheduled to speak about recent trends to exploit Java and malware at Black Hat on Thursday.
Cybercriminals are attracted to the Java vulnerabilities because the success rates are high. To take an example, an exploit in particular the integrated Blackhole in 2011 was above 80%, said Jones.
This is because users are not downloading and installing the security updates available in a timely manner, which will be an even bigger problem now that the attackers are finding new vulnerabilities in Java soon.
The Adobe deal with low adoption rates of correction of Flash Player and Adobe Reader improving the mechanisms for updates for these products and even implementing automatic updates for Flash Player.
These changes had a direct impact on the frequency of attacks on the two products and other security measures taken by the company, as the introduction of a Security Development Lifecycle (SDL) – a series of revisions of codes and practices development designed to reduce the number of vulnerabilities – or the implementation of sandbox (utility that insulates applications, limiting third party access to the OS), said Carsten Eiram, chief specialist security company Secunia vulnerability management.
Java already has a sandbox that should, theoretically, give limits on third-party code. However, according to Oh, a single vulnerability can break the security model and allow attackers to execute malicious code directly into the system.
According Eiram, Java has some major security issues related to codes. Many of the vulnerabilities found in Java are the most basic, that could be prevented by a good program SDL.
Eiram researched the effects that the program of the Microsoft SDL exercised under the Office over the years and found that the software has led to a significant decline in the number of vulnerabilities found in the product, leaving him almost nil in Office 2010.
Researchers agree that Oracle needs to do something to make Java a less attractive target for crackers. “Automatic Updates will provide many benefits if implemented by Oracle,” said Oh “The hackers are taking advantage of the time interval between the release of a fix for programs and updates.”
Most exploits designed to take advantage of Java have vulnerabilities that were corrected by Oracle. However, Eiram believes this will change and crackers soon begin to focus on unpatched vulnerabilities (zero-day) for Java instead of Flash, which are currently the favorite target for zero-day attacks.
According Eiram, Oracle may have difficulty dealing with these attacks because they are not one of the suppliers more responsive now. They avoid to communicate openly about safety issues or confirm their existence, even for security researchers, who report vulnerabilities to them.
Click to play
software vendors who develop plugins deployed in browsers such as Java, Flash or Adobe Reader, have a responsibility to make them as safe as possible and respond to security incidents as quickly as possible, said Eiram. Adobe has made a number of improvements regarding security in recent years, but Oracle is still too slow and unresponsive.
“Any third party software with a large base of users can be a possible target in the future,” Oh “But until you apply any effort to make software more secure and it has a large base of users, there is no reason to the bad guys stop abusing the vulnerabilities found in it. Especially when these guys have a high rate of success with these vulnerabilities. “
In the absence of improvements coming from the developers of plugins, some browser makers have built defenses in their programs in order to protect its users.
Chrome, for example, automatically disables outdated plugins – known for their vulnerability.Mozilla, in turn, has a blacklist for plugins in Firefox and, in fact, used it in April to block Java plugins vulnerable, in response to widespread attacks that targeted a flaw in older versions.
The click-to-play is another feature of the browser that can prevent attacks on plugins, because it prevents automatic playback of content that require them to work. The feature is already present in Chrome and is currently being built for Firefox.
Jones recommended that users enable the click-to-play when it is available on their browsers.Another defensive approach is to delete the Java plugin altogether, if it is unnecessary.
Unfortunately, not everyone can do that, especially in a business environment, where Java is used in many indoor applications. For example, some banks even have their online banking systems built around Java, said Eiram.