Oracle's efforts to patch the Java security flaws plaguing users have become complicated by a phishing campaign that sends messages masquerading as official updates with attachments that hijack computers instead. In the meantime, the flaws that Oracle is attempting to patch continue to be exploited. Reporters Without Borders was the target of the latest attack.
For Oracle and its
Java programming language, the hurt just keeps on coming.
Fresh vulnerabilities have been discovered less than a week after
Oracle updated Java to address two security flaws being exploited by
hackers -- but wait, there's more. Net bandits launched a phishing
campaign pushing bogus security updates for the software.
Meanwhile, a tech journalist and Harvard Business School professor lambasted Oracle's actual security updates as unethical.
The two new vulnerabilities were discovered in the latest version of
Java, release 7 update 11 (7u11) by veteran vulnerability finder Adam
Gowdiak, founder and CEO of
Security Explorations.
"We have successfully confirmed that a complete Java security sandbox
bypass can still be gained under the recent version of Java 7 Update
11," Gowdiak wrote to subscribers of the Full Disclosure mailing list.
"As a result, two new security vulnerabilities (51 and 52) were
spotted in a recent version of Java SE 7 code and they were reported to
Oracle today," he added. Since April 2012, Gowdiak has discovered 52
security bugs in Java 7.
Not Playing Nice in Sandbox
Sandboxes are a technique used by software writers to make applications
more secure. Running the app in a sandbox can isolate the program's
execution -- and if it's infected, reduce its ability to contaminate a
system.
Java's sandbox is a popular target of miscreants, according to HD Moore, chief security officer of
Rapid7
"A single failure in Java's sandbox turns into another exploit that
wouldn't be a problem in programs like Chrome, Flash and Acrobat because
it's so hard to skip the sandbox in those programs," he told
TechNewsWorld.
While Oracle scrambled to fix Java, phishers began exploiting public awareness of Oracle's security update for their own gains.
"It's a social engineering approach, taking advantage that this Java
exploit is being talked about in the media," George Tubin, a senior
security strategist with
Trusteer.
Publicity Attracts Phishers
The phishing campaign was first discovered by Trend Micro, which last
week found messages purporting to be security updates from Oracle
circulating the Internet with attachments containing malware. The
malware doesn't exploit any Java vulnerabilities -- it infects a
computer and takes control of it.
"This method of infection has become very, very popular in the past
few years," Barry Shteiman, a senior security strategist with
Imperva, told TechNewsWorld.
In addition to the direct delivery of malware via email, miscreants
are also using emails containing links to websites promising to install a
new version of Java, which actually install ransomware on a system
instead, said Bogdan Botezatu, a senior e-threat analyst at
Bitdefender.
"These fake updates do not exploit any flaws in Java," he told
TechNewsworld. "They just install a Windows-based piece of malware that
currently installs ransomware -- a type of malware that locks the users'
computer screen and demands payment to return control to the user."
Attacks on Activists
While there is no evidence yet that the new vulnerabilities in Java are
being exploited by hackers, old ones continue to be exploited, according
to Jindrich Kubec, a security researcher with
Avast.
Kubec has been tracking a series of attacks against social activist
websites that exploit previously patched vulnerabilities in Java and
several versions of Microsoft Internet Explorer. The latest assault in
the campaign was discovered Tuesday at the website for Reporters Without
Borders.
The attacks are designed to collect information about visitors to the sites, Kubec explained.
"I believe this serves as intelligence collection on the enemies of the Chinese state," he told TechNewsWorld.
It allows the Chinese to track what its perceived enemies do, as well
as with whom they communicate. It also lets them identify websites that
may have been overlooked by Chinese censors, Kubec noted.
"We've seen more than 40 sites in the latest wave, as of [Wednesday].
Most of them are still infected and under at least partial control of
attackers," he added.
Vulnerability as Business Opportunity
Although Oracle has received kudos from some security experts for its
rapid action on the latest round of vulnerabilities in Java, its update
process drew criticism from tech writer Ed Bott, of Cnet, and Ben
Edelman, an associate professor at the Harvard Business School.
In a column published Tuesday, Bott knocked Oracle for pushing
third-party software with its updates and for being slow to notify
users that updates were available.
"Oracle uses the updater to patch security flaws, which is proper,
but to push third-party advertising software -- that's quite unusual"
Edelman told TechNewsWorld.
"Security updates are supposed to be strictly business. You're
supposed to use it to fix an urgent, genuine, technical problem and
nothing else," he maintained. "Oracle is taking a security vulnerability
and flipping it around into a business opportunity."
