Java malware spotted using stolen certificate
Same day as latest patch
If you haven't already run in the latest Java patch (issued yesterday), here's another good reason to do so: someone has turned up an exploit that uses signed code.
In this post, Eric Romang looks at a malicious applet that comes with a signature using credentials stolen from Clearesult Consulting in the US.
The stolen private key was posted to Pastebin. Even though the applet is using a now-revoked certificate, it seems that it's up to the user to check the revocation lists. Otherwise, if they trusted the assertion that the applet is signed, they would be well on the way to an infection.
The malicious applet probably had only limited exposure, since it was hosted at a German dictionary (http://dict.tu-chemnitz.de/) site that was infected with the g01pack exploit kit.
However, according to the Twitter message that first raised the alarm, the exploit was spotted on a machine running the version of Java that Oracle made obsolete yesterday (March 4, US time).
It'll still warrant testing, though. Announcing the patch, Oracle's Eric Maurice said the new install set Java's security settings to “High” by default, demanding that users authorize unsigned or self-signed apps before running them.
“In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin,” Oracle advises.
If the applet reported by Romang behaves as he describes, it still seems feasible to El Reg that a user might okay the installation rather than checking a revocation list to make sure the certificate is current.
Alternatively, the remaining Java users could just get rid of it. ®