While doing some stats & trends on our data, I noticed that there has been a steady rise in the number of malicious Java Archive (JAR) files that we are blocking (pulling data from both within our logs and denylists). While malicious JAR files remain a relatively small threat volume for our users (
- Inclusion of JAVA exploits (for example, CVE-2008-5353 and CVE-2009-3867) within popular exploit kits (for example, Pheonix2, Eleonore, and Liberty)
- Usage of JARs to obfuscate and redirect to malicious payloads (I used the DJ decompiler to analyze one of these the other day)
- Tavis Ormandy's April 2010 discovery of the Java Web Start Argument Injection Vulnerability (Full Disclosure posting)
- Adoption of the Java Signed Applet exploit (Metasploit rev. 8267, Java Applet Infection post)
Trojan executables, malicious PDFs, and browser exploits are much more prevalent than exploits against Java/JRE - but it will be interesting to continue to monitor this trend.
