Massive Internet Security Hole Remains Unpatched By Users

More than a week after Oracle released a critical patch for Java, more than 68% percent of Internet users are still vulnerable to attacks that exploit these vulnerabilities. This may be the biggest security hole on the Internet today, since 73 percent of Internet users are using Java.

I’ve already warned 14 million users to immediately apply the Java patch and in the mean time protects them against financial malware such as Zeus, that exploit the vulnerabilities in unpatched versions of Java.

According to Oracle due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 29 new security fixes across Java SE and Java for Business products.

One week after it was released by Oracle, only 7 per cent of Java users have installed the latest update. This is worrying because the majority of Java users on the Internet are vulnerable to a large and growing number of Java exploits in the wild. According to Microsoft, the vulnerabilities covered by the critical patch provide ‘…an unprecedented wave of Java exploitation…’ I believe it is the single most exploitable vulnerability on the web today.

From a security threat standpoint Java is very much like Flash in that it is a ubiquitous technology installed on virtually every computer in the world, which makes an ultimate platform for distributing malware. Using vulnerabilities in these applications is extremely efficient since it enables criminals to target more than two thirds of Internet users. Oracle is facing some major security challenges and one of its biggest hurdles is its software update mechanism.

For some reason, it is not effective enough in distributing security patches to the field. Adobe experienced the very same problem last year and since then Flash has been the subject of multiple attacks. To date Adobe hasn’t managed to overcome the problem although they are trying and have plans to introduce more security features in their future releases.

The spike in Java exploits shows every sign of continuing. Just 120 hours after a Google researcher published details of an unpatched Java exploit late last week, hackers had reportedly already started exploiting the vulnerability. The fact that the time between an exploit being discovered and then being used by hackers in the real world is shortening is of great concern. And with so few users updating their systems, this means that a majority of users’ computers are wide open to this new type of attack vector.

The Java exploit posted to the Full Disclosure mailing list late last week appears to have been picked up by Russian hackers, who are currently exploiting an iFrame-compromised song lyrics site, which re-routes Internet users to a Russia-based malware server. This multi-level attack vector will have taken time to organise, which leads me to believe that hackers are now monitoring bug disclosure lists on a regular basis, and then mobilising their resources very quickly to create new zero day exploits.

Recommendations

  • For enterprises: identify all browser add-ons and browser technologies, not just Flash and Java. Make sure to block unnecessary services and quickly update vulnerable add-ons and browsers. Use browser security technologies that can minimize and control the threat within the organization. Patch browsers and browser add-ons as soon as fixes are available.
  • For end-users: don’t disregard vendor software update messages. If a software program is not needed, it should be removed. Otherwise it should be kept up-to-date. Use browser security technologies which can minimize, block, and alert on new threats.

Prior to founding Trusteer, Mickey Boodaei co-founded and held the position of VP of EMEA sales for Imperva. Mickey grew sales from zero to 40% of company revenues in less than 18 months. Prior to that, Mickey was Imperva’s Vice President of Product Management and Technical Services. In this role, Mickey was responsible for defining and creating several category defining products in the fields of application and database security. Prior to Imperva, Mickey was founder and Chief Executive Officer of Edvice - an application and database security consulting group. Edvice provided advanced security services to major financial institutions including penetration testing, security architecture design and implementation of security features for Web-based applications. Mickey also served for six years as a security research engineer in the Israel Defense Forces. There, he worked on security design, penetration testing, and basic research in the fields of application and database security. He holds a B.Sc. degree from the Technion, Israel Institute of Technology, and an MBA from Ben-Gurion University.