Hackers exploit new Java zero-day bug

Song lyrics site redirects users to Russian attack server, which attacks IE, Firefox users

Just five days after a Google researcher published information of an unpatched Java bug, a compromised song lyrics site is sending users to a Russian attack server exploiting the flaw to install malware, an antivirus firm said today.

Last Friday, Google's Tavis Ormandy posted details of the Java vulnerability to the Full Disclosure security mailing list, spelling out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. According to Ormandy, all versions of Java for Windows since SE 6 update 10 -- which debuted two years ago -- are vulnerable. Other operating systems running Java are unaffected, he said.

Roger Thompson, chief research officer at AVG Technologies, said Songlyrics.com was unwittingly redirecting users to a Russian attack server feeding Ormandy's exploit to victims.

Songlyrics.com includes an IFRAME that shunts visitors to the Russian site, where users are subjected to assault from both Ormandy's exploit as well as a larger-scale exploit toolkit. "Typically, they throw a whole bunch [of exploits at victims] at once and see what sticks," said Thompson via instant message, talking about the multi-stage attack that includes the Java exploit.

Songlyrics.com, which provides lyrics for tracks by the likes of Lady Gaga, Rihanna, Usher and Miley Cyrus, was apparently compromised by hackers, who added the redirecting IFRAME to the site, said Thompson. E-mails to the site's administrator have gone unanswered, he added.

Windows users running Microsoft 's Internet Explorer (IE) and Mozilla's Firefox are at risk if they have the Java browser plug-in installed. "Chrome seems to be safe, but that's not guaranteed," Thompson said.

That hackers quickly jumped on the Java bug didn't shock him. "The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days later, we're detecting that code," Thompson said, referring to the attack code Ormandy published on the mailing list. He also figures that others will rapidly follow suit. "It's so easy to use and copy that I would expect that it'll be in the [exploit tool]kits in a few days."

Although Ormandy reported the flaw to Sun -- now part of Oracle -- he said the company declined to rush out a patch. "They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote on the mailing list. "I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."

Oracle patched Java last week; its next regularly-scheduled update is slated for July.

Oracle did not reply to a request seeking comment on the vulnerability, or to questions about its patching plans now that Ormandy's exploit is being used by hackers. Songlyrics.com also did not respond to e-mailed questions from Computerworld .

"This will soon be everywhere, so Sun will need to issue an out-of-band patch," bet Thompson.

Until Oracle patches the problem, or if it refuses to address the flaw, users can protect themselves by applying the IE and Firefox workarounds that Ormandy offered last week on Full Disclosure. The SANS Institute's Internet Storm Center has reposted Ormandy's workarounds .

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackersOraclesunjavaFirefoxInternet Explorerpatchingexploits

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?