For Oracle and its Java programming language, the hurt just keeps on coming.
Fresh vulnerabilities have been discovered less than a week after Oracle updated Java to address two security flaws being exploited by hackers — but wait, there’s more. Net bandits launched a phishing campaign pushing bogus security updates for the software.
Meanwhile, a tech journalist and Harvard Business School professor lambasted Oracle’s actual security updates as unethical.
The two new vulnerabilities were discovered in the latest version of Java, release 7 update 11 (7u11) by veteran vulnerability finder Adam Gowdiak, founder and CEO of Security Explorations.
“We have successfully confirmed that a complete Java security sandbox bypass can still be gained under the recent version of Java 7 Update 11,” Gowdiak wrote to subscribers of the Full Disclosure mailing list.
“As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today,” he added. Since April 2012, Gowdiak has discovered 52 security bugs in Java 7.
Not Playing Nice in Sandbox
Sandboxes are a technique used by software writers to make applications more secure. Running the app in a sandbox can isolate the program’s execution — and if it’s infected, reduce its ability to contaminate a system.
Java’s sandbox is a popular target of miscreants, according to HD Moore, chief security officer of Rapid7
“A single failure in Java’s sandbox turns into another exploit that wouldn’t be a problem in programs like Chrome, Flash and Acrobat because it’s so hard to skip the sandbox in those programs,” he told TechNewsWorld.
While Oracle scrambled to fix Java, phishers began exploiting public awareness of Oracle’s security update for their own gains.
“It’s a social engineering approach, taking advantage that this Java exploit is being talked about in the media,” George Tubin, a senior security strategist with Trusteer.
Publicity Attracts Phishers
The phishing campaign was first discovered by Trend Micro, which last week found messages purporting to be security updates from Oracle circulating the Internet with attachments containing malware. The malware doesn’t exploit any Java vulnerabilities — it infects a computer and takes control of it.
“This method of infection has become very, very popular in the past few years,” Barry Shteiman, a senior security strategist with Imperva, told TechNewsWorld.
In addition to the direct delivery of malware via email, miscreants are also using emails containing links to websites promising to install a new version of Java, which actually install ransomware on a system instead, said Bogdan Botezatu, a senior e-threat analyst at Bitdefender.
“These fake updates do not exploit any flaws in Java,” he told TechNewsworld. “They just install a Windows-based piece of malware that currently installs ransomware — a type of malware that locks the users’ computer screen and demands payment to return control to the user.”
Attacks on Activists
While there is no evidence yet that the new vulnerabilities in Java are being exploited by hackers, old ones continue to be exploited, according to Jindrich Kubec, a security researcher with Avast.
Kubec has been tracking a series of attacks against social activist websites that exploit previously patched vulnerabilities in Java and several versions of Microsoft Internet Explorer. The latest assault in the campaign was discovered Tuesday at the website for Reporters Without Borders.
The attacks are designed to collect information about visitors to the sites, Kubec explained.
“I believe this serves as intelligence collection on the enemies of the Chinese state,” he told TechNewsWorld.
It allows the Chinese to track what its perceived enemies do, as well as with whom they communicate. It also lets them identify websites that may have been overlooked by Chinese censors, Kubec noted.
“We’ve seen more than 40 sites in the latest wave, as of [Wednesday]. Most of them are still infected and under at least partial control of attackers,” he added.
Vulnerability as Business Opportunity
Although Oracle has received kudos from some security experts for its rapid action on the latest round of vulnerabilities in Java, its update process drew criticism from tech writer Ed Bott, of Cnet, and Ben Edelman, an associate professor at the Harvard Business School.
In a column published Tuesday, Bott knocked Oracle for pushing third-party software with its updates and for being slow to notify users that updates were available.
“Oracle uses the updater to patch security flaws, which is proper, but to push third-party advertising software — that’s quite unusual” Edelman told TechNewsWorld.
“Security updates are supposed to be strictly business. You’re supposed to use it to fix an urgent, genuine, technical problem and nothing else,” he maintained. “Oracle is taking a security vulnerability and flipping it around into a business opportunity.”
Oracle did not respond to our request to comment for this story.