Attacks on Java security hole hidden in bogus Microsoft Services Agreement email

Filed Under: Featured, Java, Malware, Microsoft, Spam, Vulnerability

Globe. Image from ShutterstockOnline scammers are using a recent email from Microsoft as bait in a widespread spam campaign that exploits vulnerabilities in Oracle’s Java software to install malicious programs on vulnerable systems.

Experts at The SANS Institute's Internet Storm Center warned on Saturday that operators there received multiple reports of a spam campaign that uses a recent Microsoft email regarding changes to its Services Agreement for products such as Hotmail and Skydrive to fool users.

The attacks have prompted renewed calls for internet users to disable Java on their systems pending a new update from Oracle Corp. to fix critical, remotely exploitable vulnerabilities in the ubiquitous web technology.

According to SANS, the malicious email is based on an August 27 communication from Microsoft titled "Important Changes to Microsoft Services Agreement and Communication Preferences."

The phishing email replaces links in the original messages with malicious links that send unwitting readers to websites that install a new variant of the Zeus malware, ISC handler Russ McRee warned in a post on September 1st.

The actual Microsoft message, dated August 27, can be viewed here.

It details changes in the terms of a services agreement for users of a wide range of products, including Hotmail, Windows Live Messenger, Microsoft Photo Gallery and SkyDrive, the company’s hosted storage offering.

Blackhole, courtesy of ShutterstockThe malicious websites in question are running the latest versions of the Blackhole Exploit Kit, a kind of Swiss Army Knife for compromising vulnerable computers.

The Blackhole Exploit Kit is capable of analyzing the configuration and software installed on machines visiting web sites on which the exploit kit is installed, and then serve up just exploits that are likely to work against the intended target.

The recent addition of exploit code for the Java vulnerability has more than doubled the success rate of Blackhole exploits, compromising tens of thousands of new systems, according to data from the security firm Seculert.

This isn't the first phishing email that has been linked to attacks on the Java vulnerability. Last week, experts at SophosLabs discovered malicious emails purporting to including information on a tax rate increase that contained links to websites exploiting the Java hole.

Database giant Oracle acquired Java when it bought Sun Microsystems in 2009 and has faced criticism from security experts for failing to respond quickly to security vulnerabilities in the ubiquitous web technology before.

The latest security holes haven’t improved the company's image. It was forced to rush out a patch for the Java security hole last week and received withering criticism after the polish security consultancy Security Explorations disclosed that it reported the critical security hole to Oracle in April, four months earlier.

The company's image was further damaged when the patch Oracle released to fix the flaw failed to fully close the security hole. Security Explorations said that it informed Oracle on Friday that systems running the patched Java 7 Version 7 could be circumvented in a similar manner to earlier versions, allowing for "complete Java sandbox bypass."

Oracle has confirmed receipt of that report and is investigating, Security Explorations said.

In the meantime, ISC and others are advising users to disable Java until the next update is ready.

For those who want to keep Java running, SANS ISC said that email recipients should scrutinize the hyperlinks in any email messages by hovering their mouse cursor over the link prior to clicking on it and by inspecting email headers for suspicious messages.

Sophos experts Paul Ducklin and Chet Wisniewski offer more easy-to-understand advice about Java in the latest Techknow podcast: "All about Java".

Blackhole and Globe image, courtesy of Shutterstock

, , , , , , , , , ,

You might like

7 Responses to Attacks on Java security hole hidden in bogus Microsoft Services Agreement email

  1. JimboC · 1131 days ago

    I can see why malware authors target Java (large user base and its multi-platform and with a tendency for users not to patch it).

    I am really glad that I un-installed Java many years ago, the recent security risks are of a serious concern. Of even more concern is that the most recent security patch, resolved some flaws but also created another one.

    I applaud Sophos for keeping everyone informed as well as providing solid recommendations on protecting oneself from these new threats.

    Thank you.

  2. Jon · 1130 days ago

    Does Blackhole Exploit Kit target machines running Apple OS and Linux as well?

    • lewis · 1130 days ago

      Yes there is a private strain out in the black market i seen recently that is targeting Apple OS and Linux i am gethering some info and then forwarding on to the sophos team.

      There is also a rat what sophos mentioned lastweek called netwire that is a multi-platform rat that is becoming really popular lately.

      Keep definitions upto date and you should be safe.

  3. Dennis Leischner · 1130 days ago

    I had received an email on September 1 concerning these changes but DID NOT click on the links. Thank you for keeping us up to date on these scams.

  4. victor · 1130 days ago

    Thanks for keeping us up to date. Could it be possible for you to listr which Java version you are referring to as I have no idea if what I have was an updated version. I have just updated mine.


  5. MikeP · 1130 days ago

    Some on-line banking services require the use of Java, it doesn't work without it or a 'transparent' alternative. So if Java is so open to being misused, what alternative(s) are there to allow continued use of services that require Java and check for its presence before loading?

  6. Dave Feland · 1130 days ago

    I had noticed that email used an older version of the MS logo... They just recently changed it, and had this been real, would have used the new one.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on, The Boston Globe,, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.