Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.
Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.
On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.
If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.
In other news about features in widely installed programs being used as a vehicle to load malware, security experts at M86 Security have spotted a spam campaign aimed at spreading the ZeuS Trojan that exploits a recently-documented feature in at least two different PDF readers. That feature, known as “launch action,” is intended to be used to run an application or to print a document, but recently it was discovered that this feature could be abused to run malicious programs within PDF files.
Both Foxit Reader and Adobe Reader now warn users if a PDF file tries to invoke this launch action feature, and the alert box will look similar to the one pictured above. If you use these applications and happen to see one of these alerts, it’s probably a good idea to decline launching the file in question.