NEWS FROM THE LAB - Monday, February 25, 2013

The Lowest Hanging Fruit: Java Posted by Sean @ 17:00 GMT

By all measures, Java is the current title holder for the lowest hanging fruit in computer security. (And by Java, we mean JRE and its various browser plugins.) It wasn't always so. How did it happen? Let's review some highlights in the history of low hanging fruit.

From 2004 to 2008: Attacks shifted from Windows to Office.

2004, August — Windows XP Service Pack 2 was released.

2005, February — At RSA Conference, Microsoft announced the first beta of Microsoft Update.

2005, June — The initial release of Microsoft Update.

Result: Over time, fewer Microsoft Office vulnerabilities in the wild as Microsoft Update replaced Windows Update.

From 2008 to 2010: Attacks increasingly focused on Adobe.

2009, February — "Adobe Reader has become the new IE"

From my point of view, Adobe Reader has become the new IE. For security reasons, avoid it if you can.

2009, March — Adobe started a quarterly update schedule, available on "Patch Tuesday".

  •  ASSET Blog: Adobe Reader and Acrobat Security Initiative

2009, April — Oracle buys Sun, became owner of Java.

2010, March — PDF Based Targeted Attacks are Increasing

Targeted Attacks

  •  Computerworld: Hackers love to exploit PDF bugs, says researcher

Adobe wasn't surprised by the data. "Given the relative ubiquity and cross-platform reach of many of our products, Adobe has attracted — and will likely continue to attract — increasing attention from attackers."

Given the relative ubiquity and cross-platform reach of many of our products´┐Ż

2010, July — Adobe Joins Microsoft's MAPP Program.

  •  ASSET Blog: Working Together: Adobe Vulnerability Info Sharing via Microsoft Active Protections Program (MAPP)

Result: Adobe became a team player… and has the results to show for it.

From 2010 to 2013: Java claims the title lowest hanging fruit (on multiple OS).

2012, April — Adobe ends "quarterly updates", responds monthly, as needed, still aligned with Microsoft's update schedule.

  •  ASSET Blog: Background on Security Bulletin APSB12-08

2012, August — Java Runtime Environment = Perpetual Vulnerability Machine

2013, January — ZDNet reporter, Ed Bott, declared Java the new king of foistware.

  •  ZDNet: A close look at how Oracle installs deceptive software with Java updates

2013, February — Numerous companies admit to security breaches due Java.

  •  The Verge: After so many hacks, why won't Java just go away?

Result: Java's browser plugin is deemed public enemy number one.

But wait, is disabling Java's browser plugins enough?

2011, March — Spotify Free users attacked via malicious ads. At least one attack used a Java exploit.

  •  SC Magazine: Spotify in malvertising scare

Seems it isn't just "browsers" that can trigger Java.

From 2013 to 201X: Oracle either evolves or JRE becomes increasingly irrelevant.

Oracle releases its critical patch updates on the Tuesday closest to the 17th day of January, April, July and October. By releasing such updates on a day other (and later) than "Patch Tuesday", Oracle currently forces IT departments to schedule an additional patch maintenance assessment and testing meeting.

Something really ought to change.