As recently as 2013, vulnerabilities involving Java appeared to be a favored tool of adversaries: Java was easy to exploit and, and exploits involving the programming language were difficult to detect. However, as reported in the Cisco 2015 Annual Security Report, Java is losing its front-runner position as a favored tool of bad actors looking to breach network security.
The decline in Java’s high profile as an attack vector in 2014 was recorded by Cisco Security Research. Only one of the top 10 most commonly exploited vulnerabilities in 2014 was related to Java (see chart below). In 2013, Cisco tracked 54 urgent new Java vulnerabilities; in 2014, the number of tracked vulnerabilities fell to just 19. We saw a corresponding decline in reports from the National Vulnerability Database (NVD), which includes all reported vulnerabilities: from 309 Java vulnerabilities in 2013, down to 253 in 2014.
As for the reasons behind the decline in Java exploits, our Cisco security researchers believe that ongoing efforts to reduce vulnerabilities in Java, as well as blocking older, problematic versions of Java, are the key factors. The latest version of the software, Java 8, includes stronger controls than previous releases, and also requires human interaction – such as code signing and user dialogue – before Java will run. Newer versions of Java automatically patch vulnerabilities, and older versions of the Java Runtime Environment are now blocked by web browsers.
In addition to the greater controls and tighter management from vendors, enterprise security professionals can take their own actions to minimize impact from vulnerabilities—in Java and in other commonly used tools—that bad actors exploit. For example, by monitoring the rise and decline of exploits through such sources as published advisories from Cisco’s Product Security Incident Response Team (PSIRT) and IntelliShield, security professionals can identify and prioritize the patches and updates that need to be installed most urgently, compared to those that can wait and be installed during normal patch management cycles. For instance, adversaries frequently exploit vulnerabilities in Adobe Flash, so new advisories and software updates should be considered priority patches, because adversaries will quickly add these vulnerabilities to their exploit kits.
Cumulative Annual Alerts Decline in 2014
Along with the decline in Java as an attack vector, It’s interesting to point out another notable decline – that of cumulative new and updated product vulnerabilities, as compiled by Cisco Security Research. For the first time in recent years, total alerts fell in number compared to the previous year, as seen in the table below. As explained in the Cisco 2015 Annual Security Report, the decline, much as with the decline seen in Java vulnerabilities, is likely due to greater vendor focus on software testing and development.
For more on trends in vulnerabilities and threat intelligence, download the Cisco 2015 Annual Security Report.