Oracle released an unscheduled update for Java SE 6, 7 and 8, which fixes a serious vulnerability contained in the installer for Windows (CVE-2016-0603). The vulnerability is not new and was found by a German researcher Stefan Kanthak.
The vulnerability lies in the fact that the installer can download and execute the .DLL files from its directory, which is usually “Downloads” folder. Kanthak says that it won’t be easy to perform such an attack in Java installer, however result is definitely worth the effort. First, before the victim installed Java, an attacker would have to trick it to download malicious .DLL files, placing them in the same directory as the installer. If this condition has been met, an attacker could completely compromise the victim’s computer. As soon as the user starts to install Java, the malicious code hiding in the .DLL files will be executed.
Previously, researcher have found a similar problem in many applications, such as Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt and Apple iTunes. In addition, this bug has been exposed to many antivirus products installers including ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7’s ScanNowUPnP, Kaspersky and F-Secure.
Oracle representatives explain that the users who previously downloaded versions of the Java SE below 6u113, 7u97 and 8u73, with an objective to install them later, should remove these installers and replace them with versions 6u113, 7u97 and 8u73. It is not necessary to update already installed Java, as the attack works only during the installation. Kanthak also noted that a similar vulnerability was found by him in the installer of Oracle VM VirtualBox (CVE-2016-0602), and the company has corrected the bug back in January of this year.