Old JRE Vulnerability New Again

The Sun Java Runtime Environment (JRE) allows users to run Java applications.  JRE runs on virtually every modern operating system and platform out there.  It is a very attractive attack target for that very reason, and has seen many, many of its vulnerabilities exploited.  This one is kind of special…

JRE is prone to a security-bypass vulnerability due to an error in its “Java Update” mechanism because it fails to properly check digital signatures before installing updates.  According to Francisco Amato’s blog, a Trojan surfaced last week, named FinFisher, being sold exclusively to law enforcement and intelligence agencies for monitoring PCs and mobile devices.  FinFisher uses fake iTunes application updates as its infection vector.

Attackers can exploit this issue to bypass security restrictions and perform unauthorized actions, aiding in the success of other attacks.  This issue is related to a vulnerability supposedly patched in 2008 under CVE-2008-5355.  The latest patch (which snuck by me in November) is said to fix this vulnerability.  Four years after it was discovered and three years after it was “patched”…

Get it patched, even if you have nothing to fear from the Egyptian Government, etal.  It won’t be long before others are using this one, if they aren’t doing so already.

Advertisements