Microsoft is offering a heads up to those who are slow to patch Java installations. The software giant recently warned customers that a flaw in Java, patched almost five months ago, is being used by an obscure Malware family to spread.

The Malware family, known as Unruy in Microsoft’s detection scheme, is a Trojan that will drop spammy advertisements to an infected system, open up backdoors, and install Rogue anti-Virus software.

Recently, Microsoft noticed Unruy was using CVE-2010-0094, a vulnerability in Java, to attack remote systems. The Java flaw, which if exploited allows code execution, exists within the deserialization of RMIConnectionImpl objects.

“Due to a lack of privilege checks during deserialization it is possible to supply privileged code in the ClassLoader of a constructor being deserialized. This allows for a remote attacker to call system level Java functions without proper sandboxing. Exploitation of this can lead to remote system compromise under the context of the currently logged in user,” ZDI said when the details of the flaw were published earlier this year.

In short, loading a malicious Java applet is all a user needs to do to grant the attacker access. The flaw is present in versions of the Java Runtime Environment up to version 6 update 18.

More: http://www.thetechherald.com/article.php/201033/6037/Five-month-old-vulnerability-used-to-spread-Malware