Java exploits have become popular additions to many crimeware kits. As many as 94 percent of endpoints (10’s of millions) running Oracle Java are vulnerable to at least one Java exploit. Patch management is a complicated process for an organization, especially those with remote workers since Java has a cross-platform footprint; and Java updates independently from the vulnerable apps that use it. Common tools for distributing Java threats are exploit kits like Cool, Blackhole and RedKit. Crimeware kits packed with exploits can go for as little as $200 on the black market. The owner of the Blackhole and Cool kits recently announced the creation of a $100,000 budget to purchase browser and browser plug-in vulnerabilities to be used exclusively in those kits. http://alrt.co/15nc2ci
Takeaway: Controls like patch management cannot eliminate risk exposure completely; they can only reduce risk to what you already know. Given the increasing frequency, severity and sophistication of the latest threats, the risk gap from unknown attacks across these kinds of vectors is on the rise. Rather than looking to update a single object or signature at a single point in time, companies must review the entire threat lifecycle and examine multiple opportunities to disrupt attacks.