If your downloads folder is a mess of installers and documents from ages past, you might occasionally check it before downloading a piece of software like Java. Oracle put out a statement Friday saying that those old installers might be compromised by files you’ve downloaded since, and that the only safe thing to do is delete the installer and download a fresh copy of Java.
The old installers are vulnerable to an exploit called binary planting, PC World is reporting. Older Java installers check the current directory and load up a number of DLL files, meaning any user who is tricked into downloading a malicious DLL could wind up giving attackers near total access to their computer.
“If successfully exploited, it results in a complete compromise of the unsuspecting user’s system,” wrote Eric P. Maurice, Oracle’s software security assurance director, who further explained that actually taking advantage of the security hole would be difficult.
“To be successfully exploited, this vulnerability requires that an unsuspecting user be tricked into visiting a malicious website, and downloading files to the user’s system before installing Java 6, 7, or 8,” he said. It’s an unlikely sequence, but not impossible — especially considering the way files tend to cluster in the downloads file and overwhelm users.
Oracle has issued a patched installer that addresses the issue, but the firm can’t retroactively patch installers already on your computer. Oracle outlined the specific versions that were vulnerable: “Java SE users who have downloaded any old version of Java SE prior to 6u113, 7u97, or 8u73 for later installation should discard these old downloads and replace them with 6u113, 7u97, or 8u73 or later,” the notice from Oracle states.
But if you really want to protect yourself from these exploits, keep your downloads folder tidy. If you don’t recognize a file there, delete it, otherwise store it somewhere else. If that’s too much effort, consider dragging executables to their own folder before running them.
