Flash and Java still as vulnerable as ever, says Microsoft

Microsoft's latest Security Intelligence Report for the second half of 2013 sees Java and Flash as the top attack vectors, with Java being nearly the default

Java and Flash are still gigantic targets for attackers, and Java has become the biggest security problem for Windows users, according to Microsoft's most recent Security Intelligence Report. Volume 16 covers trends in worldwide IT security across the second half of 2013.

The report, assembled mainly from intelligence from Microsoft's Trustworthy Computing division, looks at the way the most common threats faced in computing today -- vulnerabilities, malware, exploits, and so on -- evolved during 2013. What's most dismaying is that so many of the same kinds of exploits, attacks, and attack vectors remain a problem.

Case in point: Java. An analysis of the targets of various exploit kits showed the three biggest targets during the past year were Java, Internet Explorer, and Adobe Flash, with Java so far in the lead the others scarcely deserved mention. And Windows itself was hardly targeted anymore. After all, why bother smashing down the front door when you can slip in through a back window?

To that end, the vast majority of vulnerabilities involved applications that weren't part of the core OS or were browsers. Java and Flash, again, were the biggest examples, but Flash was particularly bad in that the most persistently encountered Flash threat in the wild, CVE-2007-0071, was first reported and patched in, believe it or not, 2008. This speaks to the stagnation of Flash as a technology; either it's being used but not being upgraded or it's not being used but not being removed. (Another set of exploits, involving documents, mainly involved infected PDFs.)

One reason for the explosive growth in attacks on Java and Flash was the growing prevalence of exploit kits, collections of exploits that are sold on the black market. These make it possible for many more people to orchestrate attacks without having to find vulnerabilities themselves or write the tools to exploit them.

That isn't to say the OS itself isn't a target. In fact, according to Microsoft, the number of core OS vulnerabilities has gone up steadily year by year. Not all involve Windows, though, as Microsoft describes this as an industry-wide trend.

The report sees good news in the way exploit encounter rates for the most common varieties of exploits (Java, Flash) have declined. This seems to come thanks to more scrutiny of websites that contain <iframe> tags that point at malware-infected servers -- not a new exploit and one attributed by Microsoft to Web frameworks that haven't been updated to provide protection. But, although about 20 percent of systems encountered malware in 2013, only about 1.17 percent ended up infected.

Symantec senior VP Brian Dye's declaration that antivirus software "is dead" has provoked a good deal of soul-searching and discussion about what kinds of security work best in a world of rapidly evolving threats driven by financial gain. Microsoft's report hints at how a proactive approach -- shutting down crimeware syndicates and taking botnets offline -- may be the way to go.

Such actions, however, generally are practical only for organizations the size of Microsoft, and so the recommendations Microsoft makes are minimizing attack surfaces by way of the Enhanced Mitigation Experience Toolkit or using AppLocker or Group Policy to whitelist applications.

The most actionable bit of advice may be in this line near the end: "Identify business dependencies on Java and develop a plan to minimize its use where it is not needed." As InfoWorld's Paul Krill and Roger Grimes both have lamented: If only it were that simple.

This story, "Flash and Java still as vulnerable as ever, says Microsoft," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.