SECURITY OUTFIT Trend Micro has urged Java users to assess whether the software is necessary due to the rising level of native layer exploits that are being created.
The security company said that attacks on Java are becoming increasingly popular with cyber criminals due to the many vulnerabilities present in Java native layer software code.
"We urge users to carefully evaluate [whether] their usage of Java is necessary and ensure that copies of Java that are used are updated, to reduce exposure to present and future Java flaws," wrote Trend Micro threat analyst Jack Tang in a blog post.
The firm's findings proceed from Oracle's June 2013 Java SE Critical Patch Update Advisory in which approximately half of the vulnerabilities fixed were in Java native layer code.
According to Tang, two types of Java exploits are being used by attackers, the first being Java layer exploits, which target vulnerabilities in the Java layer runtime. These types of attacks are the most prevalent because they are cross platform, can be created with little effort, and attackers do not need to bypass operating system (OS) level protections.
The second type of attack is Java native layer exploits, which target the Java native layer runtime. These exploits are harder to create, as they need to bypass OS level protections like address space layout randomisation (ASLR) and data execution prevention (DEP). In addition, Tang explained that the skills needed to create native layer exploits are more difficult to acquire.
However, Trend Micro has found that native layer Java threats are on the rise due to the growing intelligence shown by attackers, who are becoming more skillful in creating exploits.
"Before 2013, there was a 3:1 ratio of Java layer vulnerabilities to Java native layer vulnerabilities. Starting this year, however, we are now seeing more native layer flaws," Tang said, explaining that in the past there were fewer exploits present in the native layer despite there being more vulnerabilities, because "attackers did not always have the skill to create the necessary exploits".
Tang believes that 2013 will see more native layer Java exploits appear before long.
We contacted Oracle for comment on what it thinks about Trend Micro's claims that users should only install Java if neccessary, but we hadn't heard back at the time of publication.
On Tuesday, Finnish security outfit F-Secure warned Java 6 users to upgrade to version 7 as soon as possible to avoid becoming the victims of active cyber attacks.
F-Secure senior analyst Timo Hirvonen warned about the exploit this weekend over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463. µ
Sign up for INQbot – a weekly roundup of the best from the INQ