Whilst working on our normal data pull and analysis for the Microsoft Security Intelligence Report (v9 - released last week), I embarked on a mini discovery mission on the exploit data that MMPC detects with our antimalware technology.  Although the main focus of antimalware software is on traditional malware families, antimalware technologies can do a good job when it comes to file exploits that require a lot of parsing, such as exploit-laden movies, documents, and ... Java.
 
What I discovered was that some of our exploit "malware" families were telling a scary story - an unprecedented wave of Java exploitation.  In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored.  See chart below for details:
 
Java-PDF-Attacks-through-2010Q3[1]
 
The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now.  The first two, in particular, have gone from hundreds of thousands per quarter to millions:
 
CVE
Attacks
Computers
Description
CVE-2008-5353
3,560,669
1,196,480
A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.
CVE-2009-3867

2,638,311

1,119,191
Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.
CVE-2010-0094

213,502

173,123
Another deserialization issue, very similar to CVE-2008-5353.
 
The spike in exploitation was surprising to say the least, and I wondered why no one else appeared to be noticing.  And, to be fair, it wasn't entirely true that no one else noticed.
 
Back in 2008, the number of Java vulnerabilities started increasing dramatically (one report noted a jump of 264% from 2007 to 2008).  Curious, I thought at the time.  The main focus of vulnerability protection back then was moving from the OS to the browser, with the next frontiers being malicious documents and movies.  I wondered—could Java be on the horizon?
 
Indeed it was.  Should we have expected otherwise?  Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it.  On top of that, Java is a technology that runs in the background to make more visible components work.  How do you know if you have Java installed or if it's running?
 
More recently, the exploitation of Java vulnerabilities has been coming to light.  Scott Wu, who presented at Virus Bulletin recently, listed some of the more heavily exploited vulnerabilities in his presentation.  Also, in the one-year anniversary post for Microsoft Security Essentials, exploits for a Java vulnerability pushed that family to the top of the list for all families (malware and exploits) detected in the US.
 
Looking back at the chart above, you can see that this exploitation has been happening for some time.  So, why has no one been talking about Java-based exploits?  (Well, almost no one.  Brian Krebs broke the ice last week.)
 
I have a theory about why almost no one has noticed this sharp rise in attacks on Java.  IDS/IPS vendors, who are typically the folks that speak out first about new types of exploitation, have challenges with parsing Java code.  Documents, multimedia, JavaScript - getting protection for these issues is challenging to get right.  Now, think about incorporating a Java interpreter into an IPS engine?  The performance impact on a network IPS could be crippling.  So, the people that we expect to notice increases in exploitation might have a hard time seeing this particular spectrum of light.  Call it Java-blindness.
 
So, if the antimalware people can see it, why aren't they talking about it?  Well, looking at the numbers, Java exploits (and most exploits for that matter) are very low-volume in comparison to the volume of common malware families like Zbot (a family for which we added detection in MSRT just last week).  What we have to remember is that, with exploits, it's not just about volume - they happen in a flash and you have to catch them in the act (with a real-time protection product such as Microsoft Security Essentials) before they open the door to lots of malware.  So, even small numbers, especially when they're against unpatched vulnerabilities, matter a lot.
 
Now that our eyes are open, it is time for us to start reassessing yet another ubiquitous technology that attackers have found they can exploit.  Considering that these vulnerabilities all have available updates from Oracle that would prevent these attacks from being successful, this data is a reminder that, in addition to running real-time protection, it is imperative to apply all security updates for software, no matter what your flavor might be.
 
- Holly Stewart, MMPC
 
PS: Special thanks to our incredible analysts, Marian Radu, Rodel Finones, Michael Johnson, Chris Stubbs, Dan Kurc, Patrik Vicol, Jaime Wong, and Shawn Wang, who worked on our Java coverage for customers and had the foresight to create this protection long before this escalation in attacks.