Java Bests Adobe With Most Exploited Flaws

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  

A Kaspersky Lab report indicate Oracle Java bested Adobe applications in terms of the highest number of exploited vulnerabilities. The channel will need to arm itself with security tools in 2013 to stave off an wave of attacks.

Oracle  Corp.'s Java outpaced Adobe applications with the most exploited software vulnerabilities according to researchers at Kaspersky Lab, indicating to the channel that the vulnerable platform will require a meaty security arsenal and services for the foreseeable future.

Adobe Reader and Adobe Flash, which had ranked the highest in terms of the number of exploitable vulnerabilities in 2011, came in a respective second and third place behind Java. Altogether, Java security holes were responsible for 50 percent of attacks, while Adobe Reader comprised 28 percent of security incidents involving vulnerability exploits. Windows components and Internet Explorer were only exploited in 3 percent of incidents.

Related articles

Meanwhile, it’s well known that vulnerability exploits are one of the primary means that cybercriminals distribute malware. In years past, cybercriminals had a wide open playing field with Microsoft Windows and Adobe flaws, which often topped the charts in terms of highest number of vulnerabilities leading to attacks.

Recently that trend experienced a bit of a turnaround, thanks to Microsoft’s monthly Patch Tuesday security bulletins and automatic updates. Likewise, Adobe also served to remove much of the low hanging fruit from the threat landscape with automatic updates and better detection mechanisms that ultimately posed obstacles for cybercriminals looking to gain easy entry.

Consequently, cybercriminals were prompted turn their cannons elsewhere. And in 2012, their target of choice was Oracle’s Java.

And for a lot of reasons. For one, Oracle generally has consistently stayed leagues behind industry counterparts Microsoft, Adobe and even Apple in terms of its security update processes. And for good reason -- in the past, it had been Microsoft and Apple, not Oracle, responsible for releasing Java updates tailored to their own operating system. To say that Oracle was a bit green in security arena was a bit of an understatement.

That fact was not lost on cybercriminals, which pummeled Oracle’s Java platform in a series of high-profile attacks throughout the year. Over the summer, a zero-day threat garnered headlines by exploiting a flaw in the Java 7 archivedropping a malicious applet, dubbed Dropper MsPMs, on affected systems. Once safely dropped, the malware, known as the Poison Ivy Trojan, then communicated with its Command and Control centers based in China and Singapore, according to researchers at FireEye.

And in April, the notorious Flashback Trojan exploited a Java vulnerability that spread on the Mac OS X platform, infecting more than 600,000 machines around the world at its height.

The spate of threats didn’t come without consequence for Oracle's Java. The Flashback threat ultimately prompted Apple to disable Java by default to reduce the threat’s propagation.

Meanwhile, researchers at Sophos Ltd., F-Secure, Kaspersky Lab ZAO and others called for users to ditch Java altogether until Oracle plugged the Java Archive hole. The Redwood Shores, Calif.-based software firm released a patch, but not before a critical mass of users disabled the program in order to circumvent attack.

Not surprisingly, Java vulnerabilities have represented an endless source of headaches for the channel, which not likely to diminish in the near future. Following Java’s latest zero-day flaw, channel partners scrambled to disable the program for affected customers, while updating patches and beefing up security systems in order to stave off the threat. And it’s not likely that they’ll forget should a similar security fire alarm occur again in the near future.

Down the road, it’s possible that the Java 7 bug, and others, could spur Oracle to improve security processes and incident response times. Historically, unwieldy attacks have prompted Microsoft, Adobe and even Apple to implement regularly scheduled patch updates, and it wouldn’t be unprecedented for Oracle to follow suit, especially as the proliferation of attacks continues to compel users to do without Java altogether.

Until then, however, partners will need to be armed and ready to remediate an exponential rise of Java-related security threats for their customers – a challenge that will likely get worse in 2013 before it gets better.

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  
More on Channel Business
learn-chalkboard

Watch and learn: Brocade EMEA merge watched carefully by U.S. arm

Benefits of channel and OEM business merge apparent in EMEA and APAC

Clouds jigsaw

More to channel life than cloud - Microsoft

Firm's UK channel lead says hybrid solutions may be the answer for many

digital-hugging

CA embraces channel to build Application Economy

CA is shaking off its record of channel ambivalence to embrace partners’ capabilities to reach and service customers’ evolving and dynamic needs in the unfolding ‘Application Economy’

target-person

U.S. giants missing the mark in the UK

Insight and Misco took financial hits in the UK in 2013

Visitor comments
Add comments
blog comments powered by Disqus
In-depth
Jarrett Miller

Vendor Q&A Series: Jarrett Miller, Bromium

The latest channel exec to sit in the Channelnomics hotseat is Bromium's VP of global channel sales

John Schweizer - DataStax

Vendor Q&A Series: John Schweitzer, DataStax

Our latest exec to sit in the Channelnomics hotseat is John Schweitzer, executive vice president, worldwide field operations at DataStax

digital-hugging

CA embraces channel to build Application Economy

CA is shaking off its record of channel ambivalence to embrace partners’ capabilities to reach and service customers’ evolving and dynamic needs in the unfolding ‘Application Economy’

target-person

U.S. giants missing the mark in the UK

Insight and Misco took financial hits in the UK in 2013