A Java Safe Full of PUPs

A Java Safe Full of PUPs

What is it? A website telling the end-user that they need to update their Java install.

Why is it risky? When random websites are telling you to update “security features”, there’s a good chance there is something in it for the person giving you the heads up. Security updates shouldn’t come with additional bundled software.

Do we detect it? Yes, as PUP.Optional.BundleInstaller.A

Always be careful where you grab downloads of system critical (or not) files. Case in point, our old friend Java.

There are sites out there which will try to convince you to download “Free Java security updates”.

In my experience, security updates don’t come bundled with additional programs such as “toolbars, browser add-ons, game applications, antivirus applications and other types of applications”. Yet, that is exactly what we have the possibility of here.

Presenting Java-safe(dot)org:

Java safe

The site resembles the real Java website, mentions a “Free Java security update” in the background and pops a box which says “Warning: your current browser is outdated”, and that a “critical security update” is required for your Java Player.

In other words, scam tactics going back to the days when Myspace ruled the roost and everybody was using Hotmail. Clicking through to the “update” leads end-users to the following install splash on another URL:

Update time!

Note the text at the bottom of the page which doesn’t sound like something you’re usually informed of when grabbing any form of security update. The installer itself needs to be run on a net connected PC, lest the end-user be presented with an error.

I quite like the “broken” images in the first splash an end-user sees while running this online:

Broken images

From there, they’ll have to wade through a fair amount of text related to various EULA agreements for shopping helpers, PC optimizers and so on.


Eventually, the desktop looks like this:

Windows everywhere

“Ooops it looks like it wasn’t the product you wanted”

Well, that could be the case because where this install is concerned, it didn’t actually give me anything Java related in the install. In three lots of testing – two with everything installed and one without – we saw no sign of Java being updated as a result of this particular bundle.

If you need to get your hands on a Java install, then go straight to the source. If and when Java needs to be updated, it’ll tell you. Be very cautious around websites giving you the lowdown on system and program updates – more often than not, a couple of additional items will be coming along for the ride…

Christopher Boyd (Thanks to Adam @Kujman5000 for additional testing)


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.