Java Security Fix Is Disguised Malware Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


Java Security Fix Is Disguised Malware Attack


Security researchers spot malware masquerading as a Java security update. Users urged to download Java updates directly from Oracle.



Beware any Java security update that you dont download directly from Oracles website.
That warning comes via antivirus firm Trend Micro, which has spotted a new
ransomware campaign
using malware thats packaged to resemble Java 7 update 11. The real update was released Sunday by Oracle as an
emergency fix
for two zero-day vulnerabilities in Java -- including
CVE-2012-3174
-- that are being actively exploited by attackers.
The malware may be encountered when visiting websites that have been compromised with a
crimeware toolkit
and used to launch drive-by attacks against browsers.
The attack begins with a Web page warning that a newer version of Java is required to access site content. The site then pushes a file named javaupdate11, which will trigger an operating system alert asking whether the user wishes to execute the file. In reality, however, the application -- named javaupdate11.jar -- is a malicious dropper, which if installed then downloads and executes two malicious files -- up1.exe and up2.exe -- that create a backdoor on the system that can be accessed by attackers. Next, the dropper attempts to download ransomware that locks the system and requires the user to pay a fine, supposedly to a law enforcement agency, to unlock it.
[ Java-related security announcements have raised more questions than theyve answered. See
Java Security Warnings: Cut Through The Confusion
. ]
To be clear, this is a social-engineering attack that
leads to a scam
, predicated on tricking people rather than exploiting actual bugs. Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat [are] clearly piggybacking on the Java zero-day incident and users fears,
said Trend Micro
fraud analyst Paul Pajares and security engineer Rhena Inocencio in a blog post. The use of fake software updates is an old social engineering tactic.
The attack, of course, preys on ongoing questions about the safety of using Java. In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? said the researchers. If the answer is yes, they recommend only downloading Java updates directly from Oracles
Java SE Downloads
page.
Dont let your Web browser install Java for you. Thats because incompatibilities have been found -- for example by information security consultant
Michael Hoowitz
-- between the Java console and some browsers. Notably, some browsers arent always correctly reporting whether or not Java is installed or not, or which version of Java might be running. For example, some Windows users who have Java 7 update 11 installed report that Firefox claims the plug-in isnt installed, and then offers to install Java 7 update 10, which is vulnerable to the recently disclosed zero-day attacks.
Will those seeming incompatibilities between the Java console and browsers require a fix from Oracle, browser developers, operating system makers or some combination thereof? An Oracle spokeswoman didnt immediately respond to an emailed request for comment on that question, or questions about whether Oracle might
address widespread Java security confusion
by reconfiguring Java to offer automatic updates, and creating a website to allow people to verify if their system is running Java.
But in light of the seeming incompatibilities between the Java console and browsers, Java users would appear to be due another update, stat. Furthermore, Oracle has unfinished patching business, since its fix for the
two zero-day vulnerabilities
only patched one outright. For the other, Oracle altered the default Java security settings from medium to high, which means that any website that calls the Java browser plug-in will trigger a security warning asking users if they want the Java browser plug-in to run, noting that the site theyre visiting may be attempting to compromise their security or run malware.
Meanwhile, a
new zero-day Java vulnerability
was reportedly being offered for sale just 24 hours after Oracle released its update on Sunday. Will a new attack campaign that uses malware to exploit the supposed zero-day vulnerability be far behind?

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Java Security Fix Is Disguised Malware Attack