latest updates from easySERVICE™
Java’s ease of portability among platforms has contributed to its widespread adoption (it runs on over three billion devices worldwide). Unfortunately, this widespread adoption has made Java a natural target for cybercriminals, who exploit the vulnerabilities of current and previous versions to spread malware, steal data and fulfill other malicious objectives.
How Attacks Exploit Java Vulnerabilities
To understand and mitigate an organization’s potential exposure to Java vulnerabilities, it is vital to first understand Java’s role in today’s complex, multi-staged attacks. Let’s start by describing what Websense has identified as the seven stages of an advanced attack that comprise the threat kill chain. (Note that not all threats need to use every stage.)
This document illustrates the significant threats that can target Java vulnerabilities, and can help you understand your mitigation options and best practices to minimize the associated risks.
Recon: Cybercriminals peruse personal, professional and social media websites for information to help them create seemingly trustworthy “lures” that link to compromised websites under their control.
Lure: Using information collected in the RECON stage, cybercriminals create innocuous-looking email, social media or other “lures” that can fool users into clicking links to compromised websites.
Redirect: In their lures, cybercriminals may use links that “redirect” users to safe-looking or hidden web pages that contain exploit kits, exploit code or obfuscated scripts.
Exploit Kit: Once a user has clicked on a link to a compromised website, an exploit kit scans the victim’s system to find open vulnerabilities or zero-day threats — the first step toward further infiltration.
Dropper File: Once the exploit kit has found an opening, the cybercriminal delivers a “dropper file” to infect the victim’s system. The dropper file may contain software that executes on the victim’s system to begin the process of finding and extracting valuable data.
Call Home: Once the dropper file infects the target system, it “calls home” to a command-and-control server to download additional programs, tools or instructions.
Data Theft: The end-game of most modern cyberattacks, the data theft stage completes the threat kill chain. Cybercriminals steal intellectual property, personally identifiable information or other valuable data.
Cybercriminals tend to attack the latest vulnerabilities of any framework or application, Java or otherwise, because they typically assume previous versions have been patched and therefore rendered unassailable. Yet as our research suggests, this assumption is baseless regarding the Java install base — the huge number of endpoints running older versions of Java makes them an unusually tempting target of attack.
The longer a particular Java vulnerability has been known, the easier it is to exploit; in crafting their Java attacks, many cybercriminals simply use an existing exploit kit with little or no modification. And as new vulnerabilities are discovered, hackers quickly update existing kits and create new kits to exploit them. For example, within only one week of the release of V1.6_45 and V1.7_21, cybercriminals released new or updated exploit kits to attack the new vulnerabilities they had swiftly discovered.
Therefore, with no lengthy and costly development cycles, and because exploit kits can be quickly obtained, tweaked and distributed, Java attacks have the potential to impact more people in less time than other attacks — and with predictable, proven and far-ranging results.
Once identified, Java vulnerabilities are documented and assigned a common vulnerabilities and exposures (CVE) value. Table 1 lists the Java CVEs in existence during the March 2013 study; the percentage of users vulnerable to each CVE; and the exploit kits that attacked them.
Studies repeatedly proved that most end points continued to run older versions of Java and therefore remained extremely exposed to exploitation in 2013, our researchers predict Java will remain highly exploitable and highly exploited throughout 2014. They also anticipate additional, related repercussions throughout the threat landscape. These include:
What You Can Do
There is no simple, single solution for addressing Java exploits. Rather, there are a handful of approaches to consider. Best practices typically recommend the frequent and regular patching of software installations to fix their vulnerabilities and protect them from attack. But the patching of Java presents unique risks organizations must carefully consider.
The challenge is that many core business processes and applications rely on a particular version of Java, and can’t afford the potential disruption a patch might cause. Organizations must therefore weight the risk of an attack against the potential of a loss in productivity — a significant consideration.
Fortunately, there are potential workarounds that could afford an acceptable balance between safety and productivity. For example, an organization could apply a patch for an earlier version of Java that is nonetheless compatible with its existing system requirements.
There are still other options to reduce the risks caused by Java vulnerabilities. Organizations can combine these approaches to best suit particular situations and resources.
To promote the safe, productive use of Java-powered applications and devices, it is crucial to understand the potential risks and impacts of these exploitive attacks.
Java is a fundamental part of many business systems and a powerful tool for productivity, ensuring its place within organizations worldwide. However, the challenges with patching and managing Java make it highly vulnerable to cybercriminal attack. Maintaining productivity while protecting systems requires a balanced approach, and the kind of advanced real-time defenses and global threat intelligence.