Skip to content

Java vulnerability exploited in Firefox

03/21/2012

Yesterday I was of 23:00 to the 03:00 in the morning to turn off and just today I managed to resolve definitively the infection that explored the Java vulnerability in Firefox (Figure 1), being that I am already with version 11.

I noticed that when entering the website a legitimate software company, Java icon appeared and installed a fake antivirus that does not let me open or the command prompt, Task Manager, or other applications.

Additionally he has disabled the McAfee and did not allow access for updating Dat for having policies and disabled the services, as shown in the NAP Manager connection my corporate network (Figure 2).

And the worst is that the McAffee saw only the trojan (Figure 1) after I manually did the DAT update (Daily DAT Update) and already had found the virus in safe mode, which is a file with the name VWTFRZIUZ.exe in the TEMP directory within the user’s profile.

The reason is that the JRE is the Java 6.0.31 vulnerable, but does not update Firefox which continues with the old version (Figure 3) because the JRE Installer 6.0.31 doesn’t remove the JRE 6.0.30 which is vulnerable and with the two installed the vulnerability remains active (Figure 4).

I recommend you to do what I had to do after already infected:

  • Check which JRE that Firefox you are using
  • If it is earlier than JRE manually remove the JRE by 6.0.31 Windows Control Panel
  • Install the JRE 6.0.31 by link: http://java.com/en/download/inc/windows_new_xpi.jsp if you need Java
  • Disable the Java plugin in browsers and enable only the sites that really need

clip_image002

Figure 1 – Trojan installed using the vulnerability in JRE 6.0.1

image

Figure 2 – Antivirus disabled by trojan

clip_image006

Figure 3 – Firefox’s Warning that the JRE 6.0.3 was still installed

clip_image008

Figure 4 – Coexistance of JREs, 6.0.3 is the vulnerable

Advertisements

From → Security

2 Comments
  1. bookmarked!!, I really like your web site!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: