A recent annual report from Cisco highlights something that's pretty obvious to anyone who's been paying attention to malware statistics over the last several years: ads are one of the biggest sources of malicious content on the web. It’s not that hard to sneak a bad ad into one of these ad-syndicate networks, which will then be distributed to a number of otherwise-innocent websites.
These can be tricky to diagnose, as reports from customers may be difficult to reproduce – all your ad stars must align perfectly in order to see where exactly the bad code element originated. This can lead to a host of issues like what happened with Netseer’s ad network over the last few days. In that case, there was a legitimate problem, but because of an overly broad warning people were getting malware alerts about websites that were not necessarily serving malicious ads.
Of these online attacks, the vast majority (around 80% throughout the year) used Java vulnerabilities to get their malicious actions done. This shows clearly what security people have been saying for years: Java is a huge boon for cybercriminals. It's cross-platform and full of holes, and updates come fairly slowly unless a vulnerability reaches a high level of prevalence. Even then, people are not updating in a timely fashion. Many of the samples Cisco saw throughout the year contained vulnerabilities for multiple applications (such as Flash or PDF), but the Java vulnerabilities were much more successful. With Oracle's promise of a major overhaul of Java, it will be interesting to see what the statistics for 2013 show about their success.
Here's Cisco's 2013 report in its entirety.