Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Java Security 'Fix' Is Disguised Malware Attack

Security researchers spot malware masquerading as a Java security update. Users urged to download Java updates directly from Oracle.

Beware any Java security update that you don't download directly from Oracle's website.

That warning comes via antivirus firm Trend Micro, which has spotted a new ransomware campaign using malware that's packaged to resemble Java 7 update 11. The real update was released Sunday by Oracle as an emergency fix for two zero-day vulnerabilities in Java -- including CVE-2012-3174 -- that are being actively exploited by attackers.

The malware may be encountered when visiting websites that have been compromised with a crimeware toolkit and used to launch drive-by attacks against browsers.

The attack begins with a Web page warning that a newer version of Java is required to access site content. The site then pushes a file named "javaupdate11," which will trigger an operating system alert asking whether the user wishes to execute the file. In reality, however, the application -- named "javaupdate11.jar" -- is a malicious dropper, which if installed then downloads and executes two malicious files -- up1.exe and up2.exe -- that create a backdoor on the system that can be accessed by attackers. Next, the dropper attempts to download ransomware that locks the system and requires the user to pay a fine, supposedly to a law enforcement agency, to unlock it.

[ Java-related security announcements have raised more questions than they've answered. See Java Security Warnings: Cut Through The Confusion. ]

To be clear, this is a social-engineering attack that leads to a scam, predicated on tricking people rather than exploiting actual bugs. "Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat [are] clearly piggybacking on the Java zero-day incident and users' fears," said Trend Micro fraud analyst Paul Pajares and security engineer Rhena Inocencio in a blog post. "The use of fake software updates is an old social engineering tactic."

The attack, of course, preys on ongoing questions about the safety of using Java. "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it?" said the researchers. If the answer is yes, they recommend only downloading Java updates directly from Oracle's Java SE Downloads page.

Don't let your Web browser install Java for you. That's because incompatibilities have been found -- for example by information security consultant Michael Hoowitz -- between the Java console and some browsers. Notably, some browsers aren't always correctly reporting whether or not Java is installed or not, or which version of Java might be running. For example, some Windows users who have Java 7 update 11 installed report that Firefox claims the plug-in isn't installed, and then offers to install Java 7 update 10, which is vulnerable to the recently disclosed zero-day attacks.

Will those seeming incompatibilities between the Java console and browsers require a fix from Oracle, browser developers, operating system makers or some combination thereof? An Oracle spokeswoman didn't immediately respond to an emailed request for comment on that question, or questions about whether Oracle might address widespread Java security confusion by reconfiguring Java to offer automatic updates, and creating a website to allow people to verify if their system is running Java.

But in light of the seeming incompatibilities between the Java console and browsers, Java users would appear to be due another update, stat. Furthermore, Oracle has unfinished patching business, since its fix for the two zero-day vulnerabilities only patched one outright. For the other, Oracle altered the default Java security settings from "medium" to "high," which means that any website that calls the Java browser plug-in will trigger a security warning asking users if they want the Java browser plug-in to run, noting that the site they're visiting may be attempting to compromise their security or run malware.

Meanwhile, a new zero-day Java vulnerability was reportedly being offered for sale just 24 hours after Oracle released its update on Sunday. Will a new attack campaign that uses malware to exploit the supposed zero-day vulnerability be far behind?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
CVE-2020-29020
PUBLISHED: 2021-03-05
Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.620527004 on Hardware.