It’s really starting to feel like we’re piling on the perennially vulnerable, industry punching bag that is Java. That said, GFI Labs and other security firms are warning their users to be wary of malicious fake Java updaters taking advantage of all the patches Oracle had to ship last week.

Trend Micro late last week uncovered a specific malware campaign posing as Java Update 11. The file was coming from an unknown publisher, which is something of a dead giveaway because a legitimate Java update would almost certainly have Oracle listed as its publisher. The fake update is called javaupdate11.jar and contained two malicious executables, up1.exe and up2.exe. After execution, the files are connecting to a remote server that takes control of the infected systems. The update is reportedly using ‘{BLOCKED}’ to host the malicious update.

As Trend Micro notes, this malware campaign isn’t exploiting any of the zero-days that emerged last week, but is rather using Java’s high profile in light of last week’s zero-day news as a social engineering technique to ensare users.

If you didn’t know (maybe you’ve spent last week or two in a state of deep, post-holiday hibernation), Java has had a terrible couple of weeks. First there was a nasty zero-day that was almost immediately incorporated into all the big exploit kits. Researchers and other security experts were adamant that users disable Java as soon as possible. It then emerged that the zero-day, which apparently targeted a pair of vulnerabilities, arose as the result of an incomplete patch from back in October.

Even after Oracle published an emergency, out-of-band patch, researcher remained skeptical. Most continued to urge users to disable Java while others continued to claim that they could either bypass the new security controls implemented by the fix or that their exploit proofs-of-concept still worked outright. Later in the week, researchers from Immunity Inc. would claim that the out-of-band patch only resolved one of the two zero-days and that a knowledgeable attacker could still exploit the other.

Things certainly didn’t get better for Oracle when Java exploits were implicated in the other huge news story of the week: a five year old cyber-espionage campaign and malware kit called Red October.

Finally Oracle released its enormous, 86-patch, quarterly update. However, it quickly emerged that Oracle’s quarterly critical patch updates do not include Java updates and thus had nothing to do with the unfolding java fiasco.

The week ended with more reports that Oracle’s out-of-band java update was hopelessly broken and that researchers had developed two new methods of bypassing the Java sandbox.

To be fair, at this point there is absolutely nothing Oracle can do if cybercriminals are convinced that they can exploit Java’s early year catastrophe by mimicing Oracle Java updates to spread their wares.

January has been ruthless to Java, but, frankly, Java has never been a shining beacon of security excellence. For years security experts have ridiculed Java. There was a serious Java bug in late September that may have affected as many as one billion desktops and (again) prompted experts and users alike to seriously consider disabling Java once and for all.

Categories: Vulnerabilities