If you've been following this blog for a few years, you probably know that I'm reluctant to play the prediction game, but it seems to be expected at this time of year, so here's my contribution. Java will consolidate its position as the successor to PDF and SWF in the favourite exploits stakes, the latest Adobe problem (Security Advisory (APSA11-04)and a very recent, not yet patched Flash 0-day vulnerability notwithstanding.
When we (Aleksandr Matrosov, Eugene Rodionov, Dmitry Volkov and myself) mentioned in our recent blog and paper that “In the last year Java has outpaced last year’s “leaders” in exploitable application formats such as PDF and SWF (Adobe Flash file format), which are now more or less equal in second place”, it was assumed that we were referring to a global shift. In fact, we were referring to the figure reproduced below, which shows statistics associated with the Black Hole exploit kit, and we’re not about to guarantee their accuracy, even for Black Hole customers. We are talking about malware here, though it’s reasonable to expect that crimeware authors have a pretty good idea of what exploits work and which don’t.
However, while it’s a bit early to pre-empt anyone’s End of Year statistics, there are data from earlier in the year that suggest that they’ll confirm Java’s continued “supremacy”: for instance, Volume 11 of the Microsoft Security Report indicates that “the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK)”. When we came to write that Carberp paper, not much had changed.The vulnerabilities in Java are easier and more consistently exploitable than those in PDF and SWF. The code required for a working exploit is fairly small, and may be only a page in length. The exploited vulnerabilities aren’t really new: some of them are more than a year old. And perhaps most of all, Java platforms are so diverse and widespread that there is no single, reliable patching/updating mechanism to cover them all.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow