While Java was a huge target for hackers in 2013, the number of Java-related attacks has dropped dramatically this year. Somewhat surprisingly, no zero day Java exploits were reported in the first half of 2014, according to Bromium Labs’ report on endpoint exploitation trends for the first half of the year.
Hackers haven’t slowed their activity, however. They’ve simply focused their efforts on other targets, notably Microsoft’s Internet Explorer and Adobe Flash.
Because old versions of the Java Runtime Environment (JRE) are typically now blocked in the browser by default, Java applets require explicit activation from users, wrote Bromium Labs researchers, “so this attack vector becomes harder and harder to leverage” and leaves hackers looking to other popular applications to exploit.
“It’s evident that attackers continue to shift focus in between ubiquitous internet facing applications, but there’s a common theme throughout – attacking the end users,” wrote Bromium Labs researchers in a blog post.
Attacking IE
Microsoft’s IE was one of the most patched and one of the most exploited applications in 2014’s first half, targeted more often than Mozilla’s Firefox, Google Chrome, Java, Adobe Flash, Adobe Reader or Microsoft Office, according to Bromium Labs. The popular browser often required the most fixes in Microsoft’s monthly Patch Tuesday.
The Bromium Labs researchers also noted several emerging zero day techniques in which attackers used Adobe Flash to launch action script virtual machine (ASVM) attacks. The researchers mention three such attacks, one of which utilized an emerging technique called action script spray that was also used in two IE exploits.
Action script spray facilitates the use of return-oriented programming (ROP), which allows attackers to execute malicious code in the presence of security defenses such as non-executable memory by gaining control of the call stack and executing machine instruction sequences called gadgets.
“This technique leverages the way dense arrays are allocated in memory,” wrote Bromium researchers. “If a vulnerability allows an attacker to control the size of a vector, they could make it as big as the whole memory space and then search for the necessary API calls and ROP gadgets.”
Such techniques are more complex than traditional heap spray attacks, which demonstrate hackers’ willingness to mount increasingly sophisticated attacks, according to Bromium.
“Traditional heap spray was supposed to deal with early address randomization techniques implemented in various operating systems. Nowadays defenses are much more sophisticated. Malicious code must ‘know’ addresses of crucial libraries and API functions in order to execute,” said Vadim Kotov, Bromium’s senior security researcher. “Actionscript spray provides this ‘knowledge,’ while its ancestor doesn’t even address this issue.”
The report refers to Web browser plugins as “a weak link that is just waiting for exploitation in the future.”
Still, common-sense security strategies go a long way toward lowering risk related to these emerging attack techniques.
“Action heap spray — as well as traditional heap spray — is merely an instrument to exploit security vulnerabilities,” Kotov said. “If you want to reduce the probability of being compromised, you need to have reasonable patching policy and invest in protection software.”
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.
