Java Bests Adobe With Most Exploited Flaws

A Kaspersky Lab report indicate Oracle Java bested Adobe applications in terms of the highest number of exploited vulnerabilities. The channel will need to arm itself with security tools in 2013 to stave off an wave of attacks.

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  

Oracle  Corp.'s Java outpaced Adobe applications with the most exploited software vulnerabilities according to researchers at Kaspersky Lab, indicating to the channel that the vulnerable platform will require a meaty security arsenal and services for the foreseeable future.

Adobe Reader and Adobe Flash, which had ranked the highest in terms of the number of exploitable vulnerabilities in 2011, came in a respective second and third place behind Java. Altogether, Java security holes were responsible for 50 percent of attacks, while Adobe Reader comprised 28 percent of security incidents involving vulnerability exploits. Windows components and Internet Explorer were only exploited in 3 percent of incidents.

Related articles

Meanwhile, it’s well known that vulnerability exploits are one of the primary means that cybercriminals distribute malware. In years past, cybercriminals had a wide open playing field with Microsoft Windows and Adobe flaws, which often topped the charts in terms of highest number of vulnerabilities leading to attacks.

Recently that trend experienced a bit of a turnaround, thanks to Microsoft’s monthly Patch Tuesday security bulletins and automatic updates. Likewise, Adobe also served to remove much of the low hanging fruit from the threat landscape with automatic updates and better detection mechanisms that ultimately posed obstacles for cybercriminals looking to gain easy entry.

Consequently, cybercriminals were prompted turn their cannons elsewhere. And in 2012, their target of choice was Oracle’s Java.

And for a lot of reasons. For one, Oracle generally has consistently stayed leagues behind industry counterparts Microsoft, Adobe and even Apple in terms of its security update processes. And for good reason -- in the past, it had been Microsoft and Apple, not Oracle, responsible for releasing Java updates tailored to their own operating system. To say that Oracle was a bit green in security arena was a bit of an understatement.

That fact was not lost on cybercriminals, which pummeled Oracle’s Java platform in a series of high-profile attacks throughout the year. Over the summer, a zero-day threat garnered headlines by exploiting a flaw in the Java 7 archivedropping a malicious applet, dubbed Dropper MsPMs, on affected systems. Once safely dropped, the malware, known as the Poison Ivy Trojan, then communicated with its Command and Control centers based in China and Singapore, according to researchers at FireEye.

And in April, the notorious Flashback Trojan exploited a Java vulnerability that spread on the Mac OS X platform, infecting more than 600,000 machines around the world at its height.

The spate of threats didn’t come without consequence for Oracle's Java. The Flashback threat ultimately prompted Apple to disable Java by default to reduce the threat’s propagation.

Meanwhile, researchers at Sophos Ltd., F-Secure, Kaspersky Lab ZAO and others called for users to ditch Java altogether until Oracle plugged the Java Archive hole. The Redwood Shores, Calif.-based software firm released a patch, but not before a critical mass of users disabled the program in order to circumvent attack.

Not surprisingly, Java vulnerabilities have represented an endless source of headaches for the channel, which not likely to diminish in the near future. Following Java’s latest zero-day flaw, channel partners scrambled to disable the program for affected customers, while updating patches and beefing up security systems in order to stave off the threat. And it’s not likely that they’ll forget should a similar security fire alarm occur again in the near future.

Down the road, it’s possible that the Java 7 bug, and others, could spur Oracle to improve security processes and incident response times. Historically, unwieldy attacks have prompted Microsoft, Adobe and even Apple to implement regularly scheduled patch updates, and it wouldn’t be unprecedented for Oracle to follow suit, especially as the proliferation of attacks continues to compel users to do without Java altogether.

Until then, however, partners will need to be armed and ready to remediate an exponential rise of Java-related security threats for their customers – a challenge that will likely get worse in 2013 before it gets better.

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  
More on Channel Business
chessglobal100

Lenovo hopes for improved PC business with exec changes

Vendor announces new leaders in PC and enterprise

fight-9-9

Xiaomi considering attack on Lenovo, Apple laptop sales - report

Bloomberg sources claim vendor may soon enter the laptop market for the first time

mountain-climbing-partner

New hybrid cloud vendor Velostrata more an ‘enabler’ than disruptor

Partner, new vendor's CEO talk predicted effects of Velostrata entering the channel

image of a vintage cash register

VARs to vendors: Money’s nice, but we need more

Vendors that want partners to sell more of their products and services should focus on ease of doing business and solution value

Visitor comments
Add comments
blog comments powered by Disqus
In-depth
newspapers-and-glasses

Channelnomics' top five stories of the week - 4 September 2015

Check out which articles grabbed the most attention this week

jessica-m-225x300

Editor's voice: The week's channel chatter - 4 September 2015

What's been happening this week on Channelnomics?

1-headlines-newspaper

Channelnomics story of the month - August 2015

Check out which piece the Channelnomics team liked best last month

Teamwork jigsaw

Teamwork makes a channel partner's dream work

Partners share the business benefits of working with other solution providers on an account