New Java vulnerability identified in archive processing: circumvents antivirus

Some antivirus vendors recommend against scanning inside archives to avoid a performance impact. This is because scanning the archive can mean the computer appears unresponsive or slow, but following this advice creates an opportunity for malware authors.

In the 4th quarter of 2012, Java exploits made their way to the top of the detection list in Microsoft’s Security Intelligence Report, suggesting that the malware authors may already be taking advantage of this.

When executing Java classes from within a Java archive, the class is extracted from the archive and decompressed into memory. By extracting the code and decompressing it in memory, there is no opportunity for “On Access” scanning to detect the malware using signatures in the same way as there is with many other executable file formats.

Other executable file formats are typically not decompressed into memory and executed, but rather, they are decompressed into a temporary file. This temporary file creates an opportunity for “On Access” scanning to detect the malicious code inside the archive while the file is being written to, or read from, the disk.

To exploit this vulnerability, malware authors can embed malicious code inside a Java archive where it will have an increased chance of evading detection by antivirus software.

The challenge for security professionals is that there’s often limited ability to “tune” their antivirus software to counter it. In many cases “On Access” scanning shares the same settings as “Scheduled” scanning.

Customers may well tolerant a performance impact for a scheduled scan at 3am, but they are far less likely to approve of even a 60 second wait for their Java application to start. At the moment, there seems to be very limited awareness of this potentially unwanted side effect.

Oracle and antivirus vendors will need to improve their solutions and options to counter this. While we wait, enterprises, individuals and security professionals are increasingly reliant on other technologies like host intrusion prevention or web and email gateway solutions, for protection.

Brad Ellis is the Managing Director at Ellis Network Associates.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwareantivirusJava vulnerability

More about MicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brad Ellis

Latest Videos

More videos

Blog Posts