Attacks on Java security hole hidden in bogus Microsoft Services Agreement email

Java hole exploited in spam messages

Globe. Image from ShutterstockOnline scammers are using a recent email from Microsoft as bait in a widespread spam campaign that exploits vulnerabilities in Oracle’s Java software to install malicious programs on vulnerable systems.

Experts at The SANS Institute’s Internet Storm Center warned on Saturday that operators there received multiple reports of a spam campaign that uses a recent Microsoft email regarding changes to its Services Agreement for products such as Hotmail and Skydrive to fool users.

The attacks have prompted renewed calls for internet users to disable Java on their systems pending a new update from Oracle Corp. to fix critical, remotely exploitable vulnerabilities in the ubiquitous web technology.

According to SANS, the malicious email is based on an August 27 communication from Microsoft titled “Important Changes to Microsoft Services Agreement and Communication Preferences.”

The phishing email replaces links in the original messages with malicious links that send unwitting readers to websites that install a new variant of the Zeus malware, ISC handler Russ McRee warned in a post on September 1st.

The actual Microsoft message, dated August 27, can be viewed here.

It details changes in the terms of a services agreement for users of a wide range of products, including Hotmail, Windows Live Messenger, Microsoft Photo Gallery and SkyDrive, the company’s hosted storage offering.

Blackhole, courtesy of ShutterstockThe malicious websites in question are running the latest versions of the Blackhole Exploit Kit, a kind of Swiss Army Knife for compromising vulnerable computers.

The Blackhole Exploit Kit is capable of analyzing the configuration and software installed on machines visiting web sites on which the exploit kit is installed, and then serve up just exploits that are likely to work against the intended target.

The recent addition of exploit code for the Java vulnerability has more than doubled the success rate of Blackhole exploits, compromising tens of thousands of new systems, according to data from the security firm Seculert.

This isn’t the first phishing email that has been linked to attacks on the Java vulnerability. Last week, experts at SophosLabs discovered malicious emails purporting to including information on a tax rate increase that contained links to websites exploiting the Java hole.

Database giant Oracle acquired Java when it bought Sun Microsystems in 2009 and has faced criticism from security experts for failing to respond quickly to security vulnerabilities in the ubiquitous web technology before.

The latest security holes haven’t improved the company’s image. It was forced to rush out a patch for the Java security hole last week and received withering criticism after the polish security consultancy Security Explorations disclosed that it reported the critical security hole to Oracle in April, four months earlier.

The company’s image was further damaged when the patch Oracle released to fix the flaw failed to fully close the security hole. Security Explorations said that it informed Oracle on Friday that systems running the patched Java 7 Version 7 could be circumvented in a similar manner to earlier versions, allowing for “complete Java sandbox bypass.”

Oracle has confirmed receipt of that report and is investigating, Security Explorations said.

In the meantime, ISC and others are advising users to disable Java until the next update is ready.

For those who want to keep Java running, SANS ISC said that email recipients should scrutinize the hyperlinks in any email messages by hovering their mouse cursor over the link prior to clicking on it and by inspecting email headers for suspicious messages.

Sophos experts Paul Ducklin and Chet Wisniewski offer more easy-to-understand advice about Java in the latest Techknow podcast: “All about Java”.

Blackhole and Globe image, courtesy of Shutterstock