Support engineers with Oracle are warning users not to download any patches that don’t come directly from the company after learning that attackers are circulating fake fixes for Oracle error messages.
Antonella Giovannetti, a member of the company’s SOA Proactive response team, wrote in a blogpost on Monday that “non-Oracle sites” have been spotted propagating patches, but at this point it’s still unclear exactly which sites are pushing the patches and for which vulnerabilities.
“You probably already don’t need to be told,” Giovannetti wrote, before warning that the fake fixes are:
- Not authorized by [Oracle] in any way
- More than likely to be dangerous to your system
When reached Wednesday, a spokesman for Oracle said the company was still gathering information about the bogus patches.
Disguising malware as fixes for bugs, genuine or fake, is an age-old trick employed by attackers.
Several years ago, attackers tried to dupe Windows users into installing patches masquerading as Patch Tuesday updates while other scams trying to get users to install everything from fake antivirus to fixes for Java – a platform now owned by Oracle – have been commonplace over the past decade or so.
This particular scam comes about a week before Oracle is scheduled to push its first Critical Patch Update of 2015. The company releases its updates quarterly, on the Tuesday closest to the 17th day of January, April, July and October, meaning the next batch of legitimate fixes is due for release next Tuesday, Jan. 20.