Java’s ubiquity combined with its propensity to stay out of date on a large chunk of its install base makes it an ideal target for hackers. This is enough to ensure that whenever the subject of third-party software vulnerabilities crops up for discussion Java is somewhere at the top of the ensuing list of those most vulnerable. According to the latest volume of Microsoft’s Security Intelligence Report, Java was responsible for the largest number of attacks in the first half of 2011.
During this period, attackers mounted millions of attacks to exploit the large number of vulnerabilities present in Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). If we go back even further to the start of the the third quarter of 2010, Microsoft’s antimalware technologies came face to face with as many as 27 million attacks targeting Java vulnerabilities from then to the end of the second quarter of 2011. That leaves us with a quarterly average as high as 6.9 million during that one year period.
“Many of the more commonly exploited Java vulnerabilities are several years old, and have had security updates available for them for years,” wrote Tim Rains, a director at Microsoft's Trustworthy Computing Group, in a blog post Tuesday. “This illustrates that once attackers develop or buy the capability to exploit a vulnerability, they continue to use the exploit for years, presumably because they continue to get a positive return on investment.”