Oracle's Java Patch Not Enough to Stop Hackers
Oracle's Java Patch Not Enough to Stop Hackers
Despite Oracle's recent Java security patch, hackers found a way into the program and conducted email phishing campaigns directed at Microsoft and Amazon users.
Researchers at the SANS Institute's Internal Storm Center (ICS) and security firm Websense this weekend issued separate reports about the vulnerability, which became public late last month.
ICS focused on fake Microsoft Services Agreement emails that claimed to contain information about "Important Changes to Microsoft Services Agreement and Communication Preferences." The phishing email copied a legitimate, Aug. 27 email from Redmond, but replaced one of the hyperlinks with a virus.
Meanwhile, hackers used illegitimate "Amazon order" emails to deliver malicious links intended to access personal and financial data, according to Websense. On Sept. 1, the security site intercepted more than 10,000 emails with the subject "You Order With Amazon.com," which urged recipients to click on a hyperlink that sent the victim to a Blackhole exploit kit hacking tool.
"This email campaign further illustrates the ingenuity and speed at which cyber-criminals package and propagate malicious content along with social-engineering techniques in order to exploit both recent software vulnerabilities and the trusting nature of end-users," Websense said.
Oracle released an out-of-band fix last week, but didn't patch the hole entirely. Polish firm Security Explorations said Friday that the update contains a bug that allows hackers to bypass and exploit the system. Security Explorations alerted Oracle to the problem on Friday.
Based on Oracle's four-month update cycle, which rolls around again on Oct. 16, a full fix could be on its way next month. In the meantime, PCMag's lead analyst for security, Neil Rubenking, suggested disabling Java altogether.
Earlier this year, the Flashback Trojan infected more than 550,000 Macs when websites exploited the Java flaw that allows Flashback.K to download itself onto Apple computers without warning.