Since the start of the year, hackers have been exploiting vulnerabilities in Java to carry out a string of attacks against companies including Microsoft, Apple, Facebook, and Twitter, as well as home users. Oracle has made an effort to respond faster to the threats and to strengthen its Java software, but security experts say the attacks are unlikely to let up any time soon.
Just this week, security researchers said the hackers behind the recently uncovered MiniDuke cyberespionage campaign used Web-based exploits for Java and Internet Explorer 8, along with an Adobe Reader exploit, to compromise their targets. Last month, the MiniDuke malware infected 59 computers belonging to government organizations, research institutes, think tanks and private companies from 23 countries.
[ How to kill Java dead. | What the latest Java flaws really mean. | Developers: Java doesn't have to be unsafe. | After initial silence on Java flaws, Oracle said that it really does care. | Find out the latest from the Java realm with InfoWorld's Enterprise Java newsletter. ]
The Java exploit used by MiniDuke targeted a vulnerability that hadn't been patched by Oracle at the time of the attacks, Kaspersky Lab said in a blog post. Vulnerabilities that are made public or exploited before a patch is released are known as zero-day vulnerabilities, several of which have been used in the attacks against Java this year.
In February, software engineers from Microsoft, Apple, Facebook, and Twitter had their work laptops infected with malware after visiting a community website for iOS developers that had been rigged with a Java zero-day exploit. The breaches were the result of a larger "watering hole" attack launched from multiple websites that also affected government agencies and companies in other industries, The Security Ledger reported.
Oracle has responded to the attacks by issuing two emergency security updates since the start of the year and accelerating the release of a scheduled patch. It has also raised the default setting of the security controls for Java applets to high, preventing Web-based Java applications from executing inside browsers without user confirmation.
Security experts say this is a good start but think more should be done to increase the adoption rate for updates and to improve the management of Java security controls in corporate environments. More importantly, they say, Oracle should thoroughly review its Java code to identify and fix the basic security issues. They believe Java would be more secure today if Oracle had listened to the security industry's warnings over the years.