Java Bests Adobe With Most Exploited Flaws

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  

A Kaspersky Lab report indicate Oracle Java bested Adobe applications in terms of the highest number of exploited vulnerabilities. The channel will need to arm itself with security tools in 2013 to stave off an wave of attacks.

Oracle  Corp.'s Java outpaced Adobe applications with the most exploited software vulnerabilities according to researchers at Kaspersky Lab, indicating to the channel that the vulnerable platform will require a meaty security arsenal and services for the foreseeable future.

Adobe Reader and Adobe Flash, which had ranked the highest in terms of the number of exploitable vulnerabilities in 2011, came in a respective second and third place behind Java. Altogether, Java security holes were responsible for 50 percent of attacks, while Adobe Reader comprised 28 percent of security incidents involving vulnerability exploits. Windows components and Internet Explorer were only exploited in 3 percent of incidents.

Related articles

Meanwhile, it’s well known that vulnerability exploits are one of the primary means that cybercriminals distribute malware. In years past, cybercriminals had a wide open playing field with Microsoft Windows and Adobe flaws, which often topped the charts in terms of highest number of vulnerabilities leading to attacks.

Recently that trend experienced a bit of a turnaround, thanks to Microsoft’s monthly Patch Tuesday security bulletins and automatic updates. Likewise, Adobe also served to remove much of the low hanging fruit from the threat landscape with automatic updates and better detection mechanisms that ultimately posed obstacles for cybercriminals looking to gain easy entry.

Consequently, cybercriminals were prompted turn their cannons elsewhere. And in 2012, their target of choice was Oracle’s Java.

And for a lot of reasons. For one, Oracle generally has consistently stayed leagues behind industry counterparts Microsoft, Adobe and even Apple in terms of its security update processes. And for good reason -- in the past, it had been Microsoft and Apple, not Oracle, responsible for releasing Java updates tailored to their own operating system. To say that Oracle was a bit green in security arena was a bit of an understatement.

That fact was not lost on cybercriminals, which pummeled Oracle’s Java platform in a series of high-profile attacks throughout the year. Over the summer, a zero-day threat garnered headlines by exploiting a flaw in the Java 7 archivedropping a malicious applet, dubbed Dropper MsPMs, on affected systems. Once safely dropped, the malware, known as the Poison Ivy Trojan, then communicated with its Command and Control centers based in China and Singapore, according to researchers at FireEye.

And in April, the notorious Flashback Trojan exploited a Java vulnerability that spread on the Mac OS X platform, infecting more than 600,000 machines around the world at its height.

The spate of threats didn’t come without consequence for Oracle's Java. The Flashback threat ultimately prompted Apple to disable Java by default to reduce the threat’s propagation.

Meanwhile, researchers at Sophos Ltd., F-Secure, Kaspersky Lab ZAO and others called for users to ditch Java altogether until Oracle plugged the Java Archive hole. The Redwood Shores, Calif.-based software firm released a patch, but not before a critical mass of users disabled the program in order to circumvent attack.

Not surprisingly, Java vulnerabilities have represented an endless source of headaches for the channel, which not likely to diminish in the near future. Following Java’s latest zero-day flaw, channel partners scrambled to disable the program for affected customers, while updating patches and beefing up security systems in order to stave off the threat. And it’s not likely that they’ll forget should a similar security fire alarm occur again in the near future.

Down the road, it’s possible that the Java 7 bug, and others, could spur Oracle to improve security processes and incident response times. Historically, unwieldy attacks have prompted Microsoft, Adobe and even Apple to implement regularly scheduled patch updates, and it wouldn’t be unprecedented for Oracle to follow suit, especially as the proliferation of attacks continues to compel users to do without Java altogether.

Until then, however, partners will need to be armed and ready to remediate an exponential rise of Java-related security threats for their customers – a challenge that will likely get worse in 2013 before it gets better.

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  
More on Channel Business
man-family-office-suit

New Cyberoam UTM targets remote workers

Security device aimed at small offices

hands-dollars

What you give is what you get: Symantec partner program post-split

Firm's impending split may leave some partners better off, but what about the others?

contract-drafting

RackWare signs up to NetApp partner program

Firm integrating technology with NetApp and IBM

data-quality

Value over volume, RackWare says of expanded channel partner program

Aim is to have the right coverage with close relationships, VP says

Visitor comments
Add comments
blog comments powered by Disqus
In-depth
hands-dollars

What you give is what you get: Symantec partner program post-split

Firm's impending split may leave some partners better off, but what about the others?

steps55

Time to step up: vendors missing the mark on IoT

A new study by AVG Technologies finds that SMBs and MSPs see tremendous potential in the Internet of Things as a driver of business growth – provided IT vendors and solution providers step up their game

wael-aggan-cloudmask

Vendor Q&A Series: Wael Aggan, CloudMask

The latest vendor executive to sit in the Channelnomics hotseat is Wael Aggan, CEO of CloudMask

healthy-heart

Microsoft getting healthy, thanks to consumers

Is it time to take the software giant off the watch list of tech companies in distress, at least on the consumer side, asks Larry Walsh