Java flaw shows danger of storing old installers in your download folder

Posted on Tuesday, Feb 09 2016 @ 13:14 CET by Thomas De Maesschalck
Oracle issued a warning to urge people to delete all Java installers lumbering around in the download folder of your browser, as older versions of the Java installer are vulnerable to an attack technique called binary planting.

The company says Java installers with version numbers below 6u113, 7u97, 8u73 are vulnerable to the attack. The flaw is quite complex to exploit though, it requires the planting of malicious DLLs into the browser's download folder, which will only be executed if the user executes one of the vulnerable install clients:
The reason is that older Java installers are designed to look for and automatically load a number of specifically named DLL (Dynamic Link Library) files from the current directory. In the case of Java installers downloaded from the Web, the current directory is typically the computer's default download folder.

If an attacker manages to place a specifically named malicious DLL into a computer's "Downloads" folder, that file will be executed when the user tries to install Java for the first time or when he manually updates an existing Java installation by downloading and running a new installer.

"Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user’s system," said Eric Maurice, Oracle's software security assurance director, in a blog post.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments