Trusteer Finds Massive Internet Security Hole Remains Unpatched by Users
Two Thirds of Web Users are Still Vulnerable to Attacks that Exploit Flaw in Java
NEW YORK, Oct. 25, 2010 – Trusteer, the leading provider of secure browsing services, today announced that over a week after Oracle released a critical patch for Java, more than 68 percent of Internet users are still at risk from attacks that exploit these vulnerabilities. This may be the biggest security hole on the Internet today, since 73 percent of Internet computers are using Java. The Trusteer Secure Browsing Service has already warned 14 million users to immediately apply the Java patch and in the mean time protects them against financial malware such as Zeus, that exploit the vulnerabilities in unpatched versions of Java.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 29 new security fixes across Java SE and Java for Business products.
One week after it was released by Oracle only 7 per cent of Java users have installed the latest update. This is worrying because the majority of Java users on the Internet are vulnerable to a large and growing number of Java exploits in the wild. According to Microsoft, the vulnerabilities covered by the critical patch provide ‘...an unprecedented wave of Java exploitation...’ Trusteer believes it is the single most exploitable vulnerability on the web today. http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
“From a security threat standpoint Java is very much like Flash in that it is a ubiquitous technology installed on virtually every computer in the world, which makes it an ultimate platform for distributing malware,” said Mickey Boodaei, Trusteer's CEO. “Using vulnerabilities in these applications is extremely efficient since it enables criminals to target more than two thirds of Internet users. Oracle is facing some major security challenges and one of its biggest hurdles is its software update mechanism. For some reason, it is not effective enough in distributing security patches to the field. Adobe experienced the very same problem last year and since then Flash has been the subject of multiple attacks. To date Adobe hasn't managed to overcome the problem although they are trying and have plans to introduce more security features in their future releases.”
“The spike in Java exploits shows every sign of continuing. Just 120 hours after a Google researcher published details of an unpatched Java exploit late last week, hackers had reportedly already started exploiting the vulnerability. The fact that the time between an exploit being discovered and then being used by hackers in the real world is shortening is of great concern. With so few users updating their systems, this means that a majority of computers are wide open to this new type of attack vector,” he explained.
According to Trusteer, the Java exploit posted to the Full Disclosure mailing list late last week appears to have been picked up by Russian hackers, who are currently exploiting an iFrame-compromised song lyrics site, which re-routes Internet users to a Russia-based malware server. This multi-level attack vector will have taken time to organise, which leads Trusteer to believe that hackers are now monitoring bug disclosure lists on a regular basis, and then mobilising their resources very quickly to create new zero day exploits.
Recommendations from Trusteer
For enterprises: identify all browser add-ons and browser technologies, not just Flash and Java. Make sure to block unnecessary services and quickly update vulnerable add-ons and browsers. Use browser security technologies that can minimize and block the threat within the organization. Patch browsers and browser add-ons as soon as fixes are available.
For end-users: don't disregard vendor software update messages. If a software program is not needed, it should be removed. Otherwise it should be kept up-to-date. Use browser security technologies which can minimize, block, and alert on new threats.
Trusteer, the world’s leading provider of secure browsing services, helps secure computers against Man in the Middle, Man in the Browser, and Phishing attacks. Trusteer is currently used by more than 70 leading financial organizations and enterprises in North America and Europe, and by more than 14 million end users to protect their online banking, shopping and other communication against sophisticated malware attacks and fraud. HSBC, Santander, The Royal Bank of Scotland, SunTrust, Fifth Third, ING DIRECT, and Bank of Montreal are just a few of the banks using Trusteer’s technology. Trusteer's service for enterprises prevents malware from accessing enterprise network resources and sensitive information through SSL - VPN connections and unmanaged devices. Trusteer is a privately held corporation led by former executives from RSA Security, Imperva, and Juniper. Follow us on www.Twitter.com/Trusteer. For more information about our products and services, please visit www.trusteer.com.