When Oracle leaves a security flaw in one of the world’s most widely used programs unpatched for four months and then issues a half-baked fix, the company is practically inviting cybercriminals to exploit its users en mass. Now that invitation has been accepted.
Over the weekend, researchers at the SANS’ Institute’s Internet Storm Center and security firm Websense separately warned of new email phishing campaigns that direct users to rigged websites that take advantage of a widespread Java vulnerability that became public in late August. One, discovered by SANS, impersonates a Microsoft email regarding a real change to Microsoft’s terms of service announced last week. Another, spotted by Websense, spoofs an Amazon order confirmation email.
“This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users,” Websense’s researchers write in a blog post about the Amazon attack.
Both exploits take advantage of the Blackhole exploit kit, an off-the-shelf hacking tool that was updated last month to prey on the Java vulnerability, such that users who run the Java plug-in can have their PC entirely compromised via their browser when they visit an infected site.
Polish researchers at the firm Security Explorations say they warned Oracle of a collection of issues in Java as early as April. It took Oracle until late last week to issue an update for the most critical of those bugs. But within 24 hours, Security Explorations had already found a flaw in Oracle’s fix that would allow hackers to circumvent the patch.
SANS echoes many others in the security community in advising users to consider disabling Java now rather than wait for another patch. In fact, after watching Oracle’s first failed attempt to solve Java’s security issues last week, users should strongly consider tossing the buggy plug-in regardless of how the software firm responds.