Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Java Security 'Fix' Is Disguised Malware Attack

Security researchers spot malware masquerading as a Java security update. Users urged to download Java updates directly from Oracle.

Beware any Java security update that you don't download directly from Oracle's website.

That warning comes via antivirus firm Trend Micro, which has spotted a new ransomware campaign using malware that's packaged to resemble Java 7 update 11. The real update was released Sunday by Oracle as an emergency fix for two zero-day vulnerabilities in Java -- including CVE-2012-3174 -- that are being actively exploited by attackers.

The malware may be encountered when visiting websites that have been compromised with a crimeware toolkit and used to launch drive-by attacks against browsers.

The attack begins with a Web page warning that a newer version of Java is required to access site content. The site then pushes a file named "javaupdate11," which will trigger an operating system alert asking whether the user wishes to execute the file. In reality, however, the application -- named "javaupdate11.jar" -- is a malicious dropper, which if installed then downloads and executes two malicious files -- up1.exe and up2.exe -- that create a backdoor on the system that can be accessed by attackers. Next, the dropper attempts to download ransomware that locks the system and requires the user to pay a fine, supposedly to a law enforcement agency, to unlock it.

[ Java-related security announcements have raised more questions than they've answered. See Java Security Warnings: Cut Through The Confusion. ]

To be clear, this is a social-engineering attack that leads to a scam, predicated on tricking people rather than exploiting actual bugs. "Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat [are] clearly piggybacking on the Java zero-day incident and users' fears," said Trend Micro fraud analyst Paul Pajares and security engineer Rhena Inocencio in a blog post. "The use of fake software updates is an old social engineering tactic."

The attack, of course, preys on ongoing questions about the safety of using Java. "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it?" said the researchers. If the answer is yes, they recommend only downloading Java updates directly from Oracle's Java SE Downloads page.

Don't let your Web browser install Java for you. That's because incompatibilities have been found -- for example by information security consultant Michael Hoowitz -- between the Java console and some browsers. Notably, some browsers aren't always correctly reporting whether or not Java is installed or not, or which version of Java might be running. For example, some Windows users who have Java 7 update 11 installed report that Firefox claims the plug-in isn't installed, and then offers to install Java 7 update 10, which is vulnerable to the recently disclosed zero-day attacks.

Will those seeming incompatibilities between the Java console and browsers require a fix from Oracle, browser developers, operating system makers or some combination thereof? An Oracle spokeswoman didn't immediately respond to an emailed request for comment on that question, or questions about whether Oracle might address widespread Java security confusion by reconfiguring Java to offer automatic updates, and creating a website to allow people to verify if their system is running Java.

But in light of the seeming incompatibilities between the Java console and browsers, Java users would appear to be due another update, stat. Furthermore, Oracle has unfinished patching business, since its fix for the two zero-day vulnerabilities only patched one outright. For the other, Oracle altered the default Java security settings from "medium" to "high," which means that any website that calls the Java browser plug-in will trigger a security warning asking users if they want the Java browser plug-in to run, noting that the site they're visiting may be attempting to compromise their security or run malware.

Meanwhile, a new zero-day Java vulnerability was reportedly being offered for sale just 24 hours after Oracle released its update on Sunday. Will a new attack campaign that uses malware to exploit the supposed zero-day vulnerability be far behind?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.