Java: Security Updates Issued Amid Malware Warning

A Java update was released by Oracle that fixes about three dozen security flaws in the heavily used software.

Oracle released the update on its website on Wednesday.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 144 new security fixes across the product families listed below,” Oracle said in a statement.

The update is available from the built-in Java updater.

The update comes amid reports that the “Icefog” malware has infected several U.S. businesses, including an oil company, according to Kaspersky Labs, which makes the popular antivirus software of the same name. It’s unclear if the recent security update was related to “Icefrog.”

“Based on the IP address, one of the victims was identified as a very large American independent oil and gas corporation, with operations in many other countries,” wrote the Kaspersky Lab researchers–Costin Raiu, Vitaly Kamluk, and Igor Soumenkov–in a blog posting on Tuesday. “As of today, all victims have been notified about the infections. Two of the victims have removed it already.”

The three concluded: “With Javafog, we are turning yet another page in the Icefog story by discovering another generation of backdoors used by the attackers.”

“In one particular case, we observed the attack commencing by exploiting a Microsoft Office vulnerability, followed by the attackers attempting to deploy and run Javafog, with a different C&C. We can assume that based on their experience, the attackers found the Java backdoor to be more stealthy and harder to notice, making it more attractive for long term operations. (Most Icefog operations being very short – the ‘hit and run’ type),” the post reads.

“The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target. This brings another dimensions to the Icefog gang’s operations, which appear to be more diverse than initially thought.”

On Wednesday, Microsoft issued updates for Windows. Adobe also issued security updates for AIR, Reader, and Flash.