Java Bests Adobe With Most Exploited Flaws

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  

A Kaspersky Lab report indicate Oracle Java bested Adobe applications in terms of the highest number of exploited vulnerabilities. The channel will need to arm itself with security tools in 2013 to stave off an wave of attacks.

Oracle  Corp.'s Java outpaced Adobe applications with the most exploited software vulnerabilities according to researchers at Kaspersky Lab, indicating to the channel that the vulnerable platform will require a meaty security arsenal and services for the foreseeable future.

Adobe Reader and Adobe Flash, which had ranked the highest in terms of the number of exploitable vulnerabilities in 2011, came in a respective second and third place behind Java. Altogether, Java security holes were responsible for 50 percent of attacks, while Adobe Reader comprised 28 percent of security incidents involving vulnerability exploits. Windows components and Internet Explorer were only exploited in 3 percent of incidents.

Related articles

Meanwhile, it’s well known that vulnerability exploits are one of the primary means that cybercriminals distribute malware. In years past, cybercriminals had a wide open playing field with Microsoft Windows and Adobe flaws, which often topped the charts in terms of highest number of vulnerabilities leading to attacks.

Recently that trend experienced a bit of a turnaround, thanks to Microsoft’s monthly Patch Tuesday security bulletins and automatic updates. Likewise, Adobe also served to remove much of the low hanging fruit from the threat landscape with automatic updates and better detection mechanisms that ultimately posed obstacles for cybercriminals looking to gain easy entry.

Consequently, cybercriminals were prompted turn their cannons elsewhere. And in 2012, their target of choice was Oracle’s Java.

And for a lot of reasons. For one, Oracle generally has consistently stayed leagues behind industry counterparts Microsoft, Adobe and even Apple in terms of its security update processes. And for good reason -- in the past, it had been Microsoft and Apple, not Oracle, responsible for releasing Java updates tailored to their own operating system. To say that Oracle was a bit green in security arena was a bit of an understatement.

That fact was not lost on cybercriminals, which pummeled Oracle’s Java platform in a series of high-profile attacks throughout the year. Over the summer, a zero-day threat garnered headlines by exploiting a flaw in the Java 7 archivedropping a malicious applet, dubbed Dropper MsPMs, on affected systems. Once safely dropped, the malware, known as the Poison Ivy Trojan, then communicated with its Command and Control centers based in China and Singapore, according to researchers at FireEye.

And in April, the notorious Flashback Trojan exploited a Java vulnerability that spread on the Mac OS X platform, infecting more than 600,000 machines around the world at its height.

The spate of threats didn’t come without consequence for Oracle's Java. The Flashback threat ultimately prompted Apple to disable Java by default to reduce the threat’s propagation.

Meanwhile, researchers at Sophos Ltd., F-Secure, Kaspersky Lab ZAO and others called for users to ditch Java altogether until Oracle plugged the Java Archive hole. The Redwood Shores, Calif.-based software firm released a patch, but not before a critical mass of users disabled the program in order to circumvent attack.

Not surprisingly, Java vulnerabilities have represented an endless source of headaches for the channel, which not likely to diminish in the near future. Following Java’s latest zero-day flaw, channel partners scrambled to disable the program for affected customers, while updating patches and beefing up security systems in order to stave off the threat. And it’s not likely that they’ll forget should a similar security fire alarm occur again in the near future.

Down the road, it’s possible that the Java 7 bug, and others, could spur Oracle to improve security processes and incident response times. Historically, unwieldy attacks have prompted Microsoft, Adobe and even Apple to implement regularly scheduled patch updates, and it wouldn’t be unprecedented for Oracle to follow suit, especially as the proliferation of attacks continues to compel users to do without Java altogether.

Until then, however, partners will need to be armed and ready to remediate an exponential rise of Java-related security threats for their customers – a challenge that will likely get worse in 2013 before it gets better.

  • Tweet  
  • LinkedIn  
  • Facebook  
  • Google plus  
  • Send to Kindle
  • Send to  
More on Channel Business
Sales online and in the shops

Black Friday wearable tech uptake splits industry

Shoppers may have snapped up a bargain wearable device on Friday, but just how much impact will this have when they choose to wear it to work today?

Backbytes - a happy computer

Perk up! HP opens up former direct-only perks to the channel

Latest ServiceOne partner program released as Q4 results disappoint

Two men shake hands

Public offering: Ingram Micro and VMWare release new partner program

Public sector partners to benefit at no cost

learn-chalkboard

Watch and learn: Brocade EMEA merge watched carefully by U.S. arm

Benefits of channel and OEM business merge apparent in EMEA and APAC

Visitor comments
Add comments
blog comments powered by Disqus
In-depth
CCTV security

Post Sony hack, security appliance market remains red-hot

Growing security concerns continue to boost appliance sales

US soldiers running on a desert road during a military operation

Fight the good fight: VA enlists IBM's Watson for PTSD battle

Solution will focus on dealing with the large number of vets suffering from PTSD

davemaffei-vpofchannel-carbonite-2014

Vendor Q&A Series: Dave Maffei, Carbonite

The latest exec to sit in the Channelnomics hotseat is Carbonite's VP of global channel sales

Christmas Present

Happy holidays from Google: higher incentives in bid to increase channel business

Looking to displace Microsoft’s vaunted Office apps, Google is increasing incentives to solution providers that resell its Google Apps for Work products