Java Flaw Repair Email Camouflages Crafty New Malware Attack
NEWS ANALYSIS: The Java vulnerability that was announced in January is bad enough. But now there’s a new form of malware that pretends to be the update for Java that fixes it, but instead just adds more malware.Back in January there was big news about a zero-day vulnerability in Java. This vulnerability would let the Bad Guys execute software on your computer, allowing them to (among other things) turn it into another zombie machine on a botnet. At the time, the recommendation was that users disable Java in their browsers. As you might imagine, Oracle, the company that took responsibility for Java when it acquired Sun Microsystems, hurriedly worked on a fix. That fix is now available and you can download it. But the attention to the Java vulnerability has now led to a new approach to malware that pretends to be a fix for the vulnerability. What happens is this. The new malware appears on your screen, and looks for the most part like the standard Java update window and requests permission to install an update. The Java logo is there, and if you’re not paying attention, it seems legitimate. But click to give permission and it will install malware instead of an update. “The Java security update is a type of social engineering,” said Kevin Haley, director, Symantec Security Response. “It’s unrelated to the vulnerability; it’s just a way to get people to click on the attachment.”
Fortunately, if you have adequate security software it won’t be able to do anything even if you click to give it permission to perform the “update.” Unfortunately, there’s no way to know for sure that your security software caught it. Everything depends on exactly what kind of security software you’re running, and how recently it’s been updated. “You should consider yourself infected,” Haley said.