Trusteer has found that more than a week after the release of a critical Java security patch, more than 68 percent of Internet users remain at risk from attacks that exploit these vulnerabilities. This image from a Trusteer video shows such an intruder.
(WEB HOST INDUSTRY REVIEW) — More than a week after Oracle released a critical security patch for Java, more than 68 percent of Internet users are still at risk from attacks that exploit these vulnerabilities, according to secure browsing services provider Trusteer (www.trusteer.com).
According to Trusteer’s Monday announcement, this may be the biggest security hole on the Internet today, given that nearly three quarters of Internet-connected computers are using Java. The Trusteer Secure Browsing Service has already warned 14 million users to immediately apply the Java patch. In the mean time, Trusteer is protecting subscribers.
One week after it was released by Oracle, the update had been installed by only seven percent of Java users. The critical patch update contains 29 new security fixes across Java SE and Java for Business products to guard against malware such as the Zeus trojan that exploit the vulnerabilities in unpatched versions of Java.
“From a security threat standpoint Java is very much like Flash in that it is a ubiquitous technology installed on virtually every computer in the world, which makes it an ultimate platform for distributing malware,” Trusteer chief executive officer Mickey Boodaei stated. “Using vulnerabilities in these applications is extremely efficient since it enables criminals to target more than two thirds of Internet users. Oracle is facing some major security challenges and one of its biggest hurdles is its software update mechanism. For some reason, it is not effective enough in distributing security patches to the field. Adobe experienced the very same problem last year and since then Flash has been the subject of multiple attacks. To date Adobe hasn’t managed to overcome the problem although they are trying and have plans to introduce more security features in their future releases.”
The Java exploit, posted to the Full Disclosure mailing list late last week, appears to have been picked up by Russian hackers, who have used these techniques to re-route Internet users to a malware server. Given the time that would likely have been needed to organise this multi-level attack vector, Trusteer researchers believe that hackers are now monitoring bug disclosure lists on a regular basis, and then mobilising their resources very quickly to create new zero day exploits.
“The spike in Java exploits shows every sign of continuing,” Boodaei said. “Just 120 hours after a Google researcher published details of an unpatched Java exploit late last week, hackers had reportedly already started exploiting the vulnerability. The fact that the time between an exploit being discovered and then being used by hackers in the real world is shortening is of great concern. With so few users updating their systems, this means that a majority of computers are wide open to this new type of attack vector.”
Earlier this month, Trusteer discovered a new version of the relatively obscure financial malware known as “Bugat”, which the company said could be an attempt by criminals to diversify their attack methods by using a less popular platform than the Zeus trojan.
No related posts.
