Microsoft reported that the vulnerabilities found on the Java software is continuously being exploited by hackers. Director of the Trustworthy Computing group under Microsoft Tim Rain explained that Java exploits cover half of all attacks that were blocked by the company’s security software within a year’s scope. There were over 27 million Java exploits blocked by Microsoft between mid-2010 and mid-2011.
Rain mentioned that the attacks targeted Java vulnerabilities have already been patched long ago. The most common attack that accounts to around 2.5 million in early 2011 has been disclosed and patched in March 2010. Another popular attack has already been patched back in 2008. Moreover, other bugs that are in Microsoft’s blocked list have already been quashed between late 2009 and early 2010.
The findings reported by Rain were similar to a report presented by Microsoft in October last year‒ all involving the exploit of Java flaws. Qualys’ Chief Technology Officer Wolfgang Kandek mentioned that majority of Windows machines lag behind on Java updates.
Kandek explained that 84 percent of the machines handled by Qualys lack the June 2011 Java update while 81 percent have not installed the February 2011 patch and 60 percent do not have the update for March 2010. There isn’t enough data of measurement for the latest October 2011 Java update but Kandek estimates that 90 percent of Windows PCs have not installed the fixes.
Vulnerabilities found in Microsoft’s Windows are patched faster when it comes to enterprises according to Kandek. He noted that critical patches are installed quickly. It only takes about 15 days to patch up half of all machines while for average bugs, patching half of all machines are done within 29 days.
Andrew Storms from nCircle Security explained that the millions of Java-related attacks can be attributed to the pervasiveness of the software. He noted that since this is combined with the “virtual invisibility” of Java, makes the software a big but silent target.” Storms added that Java is on everyone’s computer but is rarely interacted with. This factor is particularly taken advantage by hackers. Storm said that since people do not interact with the software it is unlikely for them to update it.