Cisco Blogs

Java Exploits Another Example of Tomorrow’s Threat Landscape, Today

October 28, 2010 - 1 Comment

The last two years seem dominated by PDF vulnerabilities. As far as the specification and its various readers are concerned, there is likely more sour fruit yet to be uncovered; it’s simply too complex and full of dangerous “features.” But a few blogs have recently hinted that there may be a new vector emerging with surprising popularity. Brian Krebs suggests that exploit crimeware packages have begun reporting significant success rates with Java exploits; data collected by the Microsoft Malware Protection Center (MMPC) seems to agree. After taking a look at what Cisco ScanSafe had to share on the topic, it seems clear that the threat landscape appears to be shifting under our noses.

Java Gains Steam

Microsoft detailed three Java vulnerabilities as being the top threats among data they have collected for Q3 2010. These are CVE-2008-5353, for which Microsoft recorded 3.5 million exploit attempts, and CVE-2009-3867, which showed 2.6 million attempts. The third Java exploit, CVE-2010-0094, had 213,000 hits. In comparison, the nearest PDF exploit detected by Microsoft was less than 100,000 during the same period. Krebs, likewise, offered screenshots from his interactions with the criminal authors of the Blackhole exploit kit. Statistics shared indicate that Java is the most effective exploit employed by Blackhole. SEO Sploit Pack was also reporting 50-65% of its payloads delivered via Java.

Let’s look into some Cisco ScanSafe data from the past 6 months, as a comparison:

Java vs. Flash vs. PDF, Apr - Sep 2010

Java vs. Flash vs. PDF, Apr - Sep 2010

ScanSafe tracks data slightly differently than MMPC or Krebs, but still we see a similar kind of shift over several months. ScanSafe blocks in three general categories, in layers of most abstraction from malware, to least: at the iframe level (or malicious javascript reference); at the exploit; or at binary delivery. These blocks depend on how the user is introduced to malicious content, and not every malware encounter includes all three layers. Some attacks start with an iframe, some at the exploit level, and some directly at binary delivery.

But with that context considered, for all web-based malware, 65% of what ScanSafe blocked was prior to exploit delivery, at the iframe or malicious JavaScript reference level. Of the remainder, ScanSafe’s numbers for exploit blocking of PDF- and Java-based exploits were nearly even 6 months ago (For May: 2.28% for PDF, 1.93% for Java), and in the last few months the number of Java encounters at the exploit level has seen a similar uptick when compared with Microsoft’s data (For September: 1% for PDF, 7% for Java).

Looking at this combined information, for vulnerabilities stretching as far back as December, 2008, and each with fixes available, this is a disturbing trend. SANS Internet Storm Center noticed drive-by downloads using CVE-2008-5353 back in January of this year, and noted its inclusion in three other exploit kits at that time. So while each of these sources have noted some worrying statistics from various perspectives, we’re seeing something that has been building steam for a while now.

Why Java?

I think that there are many reasons why Java could be challenging, but for these same reasons, it will not be the last technology to hold the infamous “preferred attack vector” spotlight:

Microsoft’s Holly Stewart offered some speculation that Java was flying under the radar because real-time protections like IPS devices have a hard time blocking Java exploits, because running a full-fledged virtual machine on the network is prohibitively resource intensive. This will vary case-by-case for exploits, but it generally holds true that the most reliable detection for Java exploits is to run them in a virtual machine and monitor it for security violations. That said, Cisco IPS does supply signatures for CVE-2008-5353 and CVE-2009-3867. And with vulnerabilities in platforms like Java, protection will further need to shift to the borderless network. Solutions like ScanSafe Anywhere+ can intercept and detect exploits against any browsing device (including potentially vulnerable Symbian and Android phones running Java), regardless of whether they are used on networks with traditional protections.

Tomorrow’s evasive exploits may not specifically avoid IPS devices — they might dodge reputation-based protections, user education, or any number of safeguards. But the best ones, in the attacker’s minds, will be those that can operate one step ahead of the security status quo.

Like PDF vulnerabilities, Java vulnerabilities have a quality of high reusability, because the Java platform (like the PDF document type) is ubiquitous. But unlike PDF, where the user has some interaction with whatever PDF reading application they use to view documents, many users may be completely insulated from knowing whether Java is loaded, let alone which version is running on the machine. And because older versions of Java can tend to lurk on users’ systems (intentionally or unintentionally), even after patches have been applied, it is not hard for attackers to check for older versions that co-exist on a system and call those in an attack. The pervasive nature of Java can lead to some troubling dependency problems if core software relies upon or dictates a certain version to be installed, and then systems can be forced into an unprotected state well after a vulnerability is disclosed. For this reason, moves like Apple’s recent one to remove Java as a core system component, while not necessarily based on security, can have positive implications.

Tomorrow’s pervasive attack vectors could just as easily be habits or procedures as they could be technologies. But they are likely on your systems today, being prepared for roll out next quarter, or being shared among your users as we speak.

Multi-platform interoperability is the hallmark of Java and its virtual machine. Distribute applications as a single bytecode, and let per-platform interpreters do the heavy lifting necessary to translate for the runtime environment. This is a double-edged sword, of course, meaning that it’s just as easy to distribute malicious software across platforms. Here, you can see a demonstration of the Social Engineering Toolkit preparing to construct a malicious webpage. Note that at 2:33, the narrator opts out of delivering a Linux or Mac OS X payload, though the option is presented. Of course, the challenge of portable code extends far beyond a multi-operating system environment. It means that exploits could also run on mobile devices, kiosks, single-use appliances, and whatever other hosts that contain a Java VM. And it means that the exploits can run far and wide, and onto systems that may not typically fall within the support and maintenance oversight of the IT staff.

Tomorrow’s invasive threats will operate the same across whatever means used to access data. When they can’t get to the various devices, they might turn their attention to the cloud or other services that feed those devices their data.


Attackers are solidly positioning themselves to have effective, cross-platform, ubiquitous access vectors to their targets. They have found a great deal of success with PDF in the past, and now some measures suggest that they are finding more with Java. Like PDF flaws, Java flaws can be exploited on user workstations, but in certain circumstances could also impact mobile and embedded systems, including smartphones, set-top boxes, and industrial controllers. While the threats may be new, best practices to combat them are not: defense-in-depth; layered, proactive systems; intelligent IPS; firewalls; updated and maintained devices and security; and ongoing education and awareness for users.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. One thing that has hit news late last night, early this morning is the propagation through Facebook of a Koobface / Boonana Trojan that is using Java for multi-platform infection of Windows and OS X. Here are some details from el Reg: