CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 15th, 2010

Critical Java Vulnerability Exploited On Songlyrics.com

A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle’s Java virtual machine, which is installed on hundreds of millions of computers worldwide.

The site, songlyrics.com, is serving up javascript that invokes the weakness disclosed last week by security researcher Tavis Ormandy. After determining that the bug made it trivial for attackers to remotely execute malicious code on end-user machines, he said he alerted Java handlers inside Oracle’s Sun division, but they decided no patch was necessary outside of the next update release scheduled for July.

AVG Technologies Chief Research Officer Roger Thompson, who discovered the in-the-wild attack, said songlyrics.com reaches out to another domain, assetmancomjobs.com, for a malicious JAR, or Java Archive, file and gets a 404 error indicating the payload isn’t available. “The attack site has been flaky,” he said. “We can’t get at the code they’re trying to download but it’s sure trying to download.”

He said songlyrics.com appears to be compromised by attackers for the purpose of exploiting the Java vulnerability. He said people should stay away from both sites for the time being unless they are experienced security researchers.

The bug in the Java Web Start component has been confirmed exploitable on all recent versions of Windows by Ormandy and fellow researcher Ruben Santamarta of Spain-based security firm Wintercore. The latter researcher said a related flaw potentially affects Linux users as well.

Both researchers stressed the ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components that jump-start applications in Internet Explorer, Firefox, and potentially other browsers. The vulnerability has existed since April 2008, when Sun tweaked the Java Web Start feature in Java 6, update 10.

Short of uninstalling Java altogether, it’s not easy to prevent the kind of drive-by attacks Ormandy and Santamarta have warned are possible. Merely disabling ActiveX or Firefox plugins isn’t enough because the Java toolkit that’s responsible is installed separately from Java. That means the only temporary fixes are browser specific for IE and Firefox and involve setting killbits or employing file system access control list features.

Detailed documentation on killbits is provided by Microsoft here: http://support.microsoft.com/kb/240797

Credit: The Register

Share this item with others:

More on CyberInsecure:
  • High Risk Of Malicious Code Execution Attacks Due To Mac OS X 6-month Old Java Flaw
  • Critical Adobe Shockwave Player Vulnerability Affects Millions
  • Critical PDF Processing Vulnerability In BlackBerry Enterprise Server
  • Opera Software Fixes Two Security Vulnerabilities In Opera 9.60
  • Critical Flash Player, Acrobat, Reader Vulnerability Exploited In The Wild

    • Posted in Breaches And Incidents, Malware, Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Thursday, April 15th, 2010 at 12:10 am and is filed under Breaches And Incidents, Malware, Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Critical Java Vulnerability Exploited On Songlyrics.com

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »