Criminals hit Oracle flaws hard with Java exploits

SOFTWARE JIHADIST Microsoft revealed that criminal hackers adopted new methods of attack at the end of last year, focusing on attacking Java vulnerabilities more than they had ever done before.

In Microsoft's latest security intelligence report, the firm revealed that in the third quarter of 2010 the number of Java attacks increased to fourteen times the number of attacks it saw in the previous quarter.

Hackers focused on two particular exploits in the Oracle (previously Sun) Java virtual machine (JVM) engine for executing Java programs, accounting for 85 per cent of Java attacks.

The report said that Java attacks surpassed every other exploitation category that the Microsoft Malware Protection tracked. These included HTML and scripting exploits, operating system exploits, and document exploits.

It said, "Most of the exploits observed involved malicious HTML inline frames (Iframes) that surreptitiously open pages hosting malicious code in users' web browsers."

The exploits attacked holes that should have been patched but weren't because machines weren't properly updated. Another problem was that security firms didn't have good ways of checking for Java-based exploits.

Possibly of some surprise was the fact that Adobe Reader and Acrobat exploits dropped by more than half after the first quarter of 2010, and remained at a reduced level for the rest of the year.

But Windows operating system exploits increased significantly by the end of 2010, due to the exploitation of two high-profile vulnerabilities. µ