Microsoft researcher: Java attacks reached “unprecedented” levels during Q3

According to a recent report by Microsoft Malware Protection Center researcher Holly Stewart, attacks on Java reached “unprecedented” levels during the 2010 third quarter; but, most of them largely went unnoticed by the security community.
In a Monday blog post, Stewart, a senior program manager at Microsoft, specified that during the third quarter, attacks against Java touched six million, as against the earlier quarter figures of less than 100,000 attacks on Adobe PDF documents.
Talking about the attacks, Stewart said in the blog post: “Java is ubiquitous, and, as was once true with browsers and document readers like Adobe Acrobat, people don't think to update it. On top of that, Java is a technology that runs in the background to make more visible components work. How do you know if you have Java installed or if it's running?”
Stewart also added that almost all of the Java attacks during the third quarter could be traced to three vulnerabilities that have now been patched. These three holes are the Common Vulnerabilities and Exposures (CVE) list’s CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867.
While CVE-2008-5353 and CVE-2010-0094 are deserialization issues, CVE-2009-3867 is a remote code execution issue caused by improper parsing of long file://URL arguments. Specifically speaking, CVE-2008-5353 was attacked around 3.5 million times; CVE-2009-3867 was attacked nearly 2.6 million times; and CVE-2010-0094 was attacked over 200,000 times.