Monday, May 30, 2011

Java Exploits Biggest Threat to PCs?

Gregg Keizer's ComputerWorld article New malware scanner finds 5% of Windows PCs infected includes the subtitle: "Java exploits remain biggest threat to PCs, says Microsoft." The part of the article that talked about freely available (for PCs with "Genuine Windows" installed) Microsoft products Microsoft Safety Scanner and Microsoft Security Essentials prompted me to run Microsoft Safety Scanner against my primary laptop. I am pleased to report I am part of the 95% without the issues discussed in this article. However, the other part of the article that interested me and is the subject of this blog post is the high number of Microsoft-identified exploits associated with Java.

The Keizer article references the blog post Microsoft Safety Scanner detects exploits du jour, which is the source of most of the information I discuss in this post. The Microsoft Malware Protection Center (MMPC) blog post by Scott Wu and Joe Faulhaber discusses the statistics gathered from the initial week following the release of Microsoft Safety Scanner earlier this month. They report that there were nearly 420,000 downloads of Microsoft Safety Scanner in that first week and nearly 20,100 computers needed to be cleaned. Here is the big news from a Java perspective: seven of the top ten exploits that Microsoft Safety Scanner identified in that first were were Java-related (including the all of the top four).

The Microsoft Safety Scanner detects exploits du jour post provides a table listing the top ten encountered threats with a "threat name," threat count, machine count, and a "note." Seven of the ten threats have "Java Exploit" as their note. The New malware scanner finds 5% of Windows PCs infected article does a nice job of associating these threats with previous Microsoft Malware Protection Center statements regarding Java and Windows security. Many of these previous statements were made in Holly Stewart's October 2010 MMPC blog post Have you checked the Java?

The Holly Stewart post postulates some possible reasons for Java being associated with so many Windows security issues, particularly in the United States. She states:
Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it. On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it's running?

I now look at some of the exploits seen in the first week of Microsoft Safety Scanner's deployment that are Java-related.


The most frequently seen threat (in terms of threat count and fourth in terms of machines involved) in this first week of Microsoft Safety Scanner deployment was CVE-2008-5353, which Microsoft rates as Severe. Java/CVE-2008-5353 is resolved with Java SE 6 Update 11 (Sun Alert ID 244991). This issue has to deal with improper deserialization (a more general issue most commonly blamed on the much maligned Calendar class).


Threat CVE-2010-0840 was the second most seen threat (and was also on the second most machines). Sami Koivu provides a detailed overview of this vulnerability in Java Trusted Method Chaining (CVE-2010-0840/ZDI-10-056). The vulnerability is addressed in Java SE 6 Update 19 or through the March 2010 Patch Update.


The third most commonly seen threat in the first week of Microsoft Safety Scanner's deployment was CVE-2010-0094 (fifth in terms of number of machines involved). This was addressed in the March 2010 Patch Update and was resolved in the standard SDK distribution as of Java SE 6 Update 19. This little baddie is another one related to deserialization (specifically "deserialization of RMIConnectionImpl objects").


Second highest by machine count and fourth highest by threat count, the OpenConnection family of threats. The OpenConnection.MW threat appears to be a particular "malicious Java applet trojan that exploits a vulnerability described in CVE-2010-0840" (quote source) and, as such, is addressed by Java SE 6 Update 19.


CVE-2009-3867 was the sixth most frequently seen threat both in terms of threat count and in terms of machine count. This threat is described as "A stack-based buffer overflow occurs when processing long 'file://' URL arguments in the 'HsbParser.getSoundBank()' function" and is addressed in Java SE 6 Update 17.


Mesdeh is a data file intended to exploit the previously discussed CVE-2010-0094 vulnerability and, as such, is foiled by updating to at least Java SE 6 Update 19. This was ninth of the ten discovered exploits in terms of threat count as well as in terms of machine count.


The final Java-related exploit of the top ten exploits discovered in the first week of deployment of Microsoft Safety Scanner is named OpenStream and is a Java applet Trojan downloader (Trojan horse). It can be invoked on any web browser that runs Java, but is harmless to non-Windows operating systems because the file it downloads is a Windows-specific EXE file. Because it involves a signed JAR, the user must accept it to allow it to have its way with their machine. Just as it is said that the people of Troy allowed a horse full of Greeks in and just as it is said that people must let Vampires in, so too the user must let this baddie in.

Patching of Exploits Not Limited to Java SE 6

All of the above exploits are resolved in current versions of Java SE 6. Current versions of J2SE 5 tend to address these as well, but I focused on Java SE 6 in this post.

Java Vulnerabilities

I discussed Java-related vulnerabilities briefly in my earlier post Recent Posts of Significant Interest (Java Security, XML, Cloud Computing). In that post, I referenced the article RSA: Java is the Most Vulnerable Browser Plug-in. That article reported that RSA found the Java plug-in to be the most vulnerable to exploitation followed by Adobe Reader, Apple QuickTime, and Adobe Flash. The article also cited another article that reports that "Cisco said that Java vulnerabilities are now more exploited than those in Adobe Acrobat and Reader."


It appears that Java indeed is or has been related to many Windows exploits. The good news for end users is that it's generally fairly easy and doesn't take a lot of time to upload the latest JRE. Best of all, my PCs are set up so that I'm automatically reminded to perform these updates and thus don't risk "forgetting" to do so. One could probably download hundreds of JRE updates in the time it takes to download and install one iTunes update.

No comments: