Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Java Installer Vulnerability

Oracle has released updates for Java 6, 7 and 8 to address a high severity vulnerability that can be exploited by a remote, unauthenticated attacker for arbitrary code execution.

Oracle has released updates for Java 6, 7 and 8 to address a high severity vulnerability that can be exploited by a remote, unauthenticated attacker for arbitrary code execution.

The vulnerability, identified by researcher Stefan Kanthak and tracked as CVE-2016-0603, is related to the fact that the Windows installers for Java 6, 7 and 8 load and execute several DLLs from their application directory, which is typically the “Downloads” folder.

If an attacker can place a malicious DLL in Downloads before Java is installed from the same folder, the code inside the DLL file gets executed during installation, which could lead to a complete compromise of the targeted system. This is why Oracle has classified the vulnerability as high risk, despite not being easy to exploit.

Oracle advised users who downloaded Java and had planned to install it later to discard the old installers and download Java 6u113, 7u97 or 8u73.

“Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later,” Eric Maurice, director of software security assurance at Oracle, said in a blog post.

According to an advisory published by Kanthak, the same vulnerability also affects the Oracle VM VirtualBox installer (CVE-2016-0602). The security hole was patched in VirtualBox with Oracle’s January 2016 critical patch update (CPU).

Many popular applications plagued by the same flaw

Over the past months, Kanthak has published advisories for many popular applications affected by the same DLL hijacking vulnerability. The list of affected software vendors includes Mozilla, VLC, Google, Microsoft and various security companies, such as Kaspersky Lab, Panda Security, Emsisoft, Trend Micro, F-Secure, ESET, Avira and Intel Security.

Advertisement. Scroll to continue reading.

The researcher says many vendors, including security companies, ignored his reports. However, firms like Kaspersky, F-Secure and Intel Security have released patches to address the issue.

This type of security weakness has been known for many years, but as Kanthak’s analysis has shown, many vendors have failed to ensure that their installers are not vulnerable.

As some experts have pointed out, this type of attack can be useful for malicious actors because it saves them the trouble of having to convince victims to execute a piece of malware once it has been downloaded to the targeted machine.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.