Java Every-Days: Exploiting Software Running on 3 Billion Devices

Presented at DEF CON 21 (2013), Aug. 4, 2013, 11 a.m. (45 minutes)

Over the last three years, Oracle Java has become the exploit author's best friend. And why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program.

We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component.

Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java.


  • Jasiel Spelman - Security Researcher
  • Brian Gorenc - Zero Day Initiative, HP Security Research
    Brian Gorenc (@MaliciousInput, @thezdi) is the Manager of Vulnerability Research in HP's Security Research organization. His primary responsibility is running the Zero Day Initiative (ZDI) program and doing root cause analysis on ZDI submissions. Brian's current research centers on discovering vulnerabilities in popular software, analyzing attack techniques, and identifying vulnerability trends. Prior to joining HP he worked for Lockheed Martin on the F-35 Joint Strike Fighter program where he led the development effort of the Information Assurance (IA) products in the JSF's mission planning environment.


Similar Presentations: