Oracle Fixes Java Installer Vulnerability
In order to address a high severity vulnerability, Oracle released new updates for Java 6, 7 and 8 that can easily be exploited by a unauthenticated attacker for arbitrary code execution, by a remote too.
Researcher Stefan Kanthak identified the vulnerability and tracked it as CVE-2016-0603. CVE-2016-0603 is related to the fact that several DLLs from the application directory has been load and executed by the Windows installers for Java version 6, 7 and 8.
According to the Oracle, the vulnerability is classified as high risk, even though it's not easy to exploit. Once a malicious DLL is placed by an attacker in Downloads file prior to the installation of Java, then the code in DLL file gets executed during installation, which results in a complete compromise of the targeted system.
Oracle advised users to discard the old installers and download Java 6u113, 7u97 or 8u73.
“Because the exposure exists only during the installation process, users need not upgrade existing Java installations to address the vulnerability. However, Java users who have downloaded any old version of Java prior to 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later,” Eric Maurice, director of software security assurance at Oracle, said in a blog post.
The Oracle VM VirtualBox installer(CVE-2016-0602) can also be affected by the same vulnerability. But now this security hole was patched in VirtualBox with Oracle’s January 2016 critical patch update (CPU). Not only the Oracle VM VirtualBox installer(CVE-2016-0602) but, so many other popular applications has been affected by the same flaw.
From the past months, Kanthak has published advisories for those popular applications affected by the same DLL hijacking vulnerability. The name of those affected applications are:
- > Mozilla
- > VLC
- > Microsoft
- > Many security companies like (F-Secure, Kaspersky Lab, Emsisoft, Panda Security, Avira, Intel Security, Trend Micro and ESET)
The researcher says many vendors, including security companies, ignored his reports. But, by some firms patches have been already released to address the issue such as F-Secure, Kaspersky and Intel Security.
This type of security weakness known for many years, but as Kanthak’s analysis has shown, many vendors have failed to ensure that their installers are not vulnerable.