Oracle issues emergency Java patch to stop zero-day attacks
Quashes bug being used by hackers to install attack code
Computerworld - Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software.
The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.
Oracle's patch appears quick and dirty, Ormandy said. "They've completely removed the vulnerable feature, literally replaced with 'return 0,'" he said on Twitter.
The company noted as much in the advisory that accompanied the update. "A Java Network Launch Protocol (JNLP) file without a codebase parameter, such as the following, will no longer work with the Java SE 6 update 20 release," said Oracle. "This means that developers must specify the codebase parameter in a JNLP file."
Although Ormandy reported the flaw to Oracle before going public, he said the company declined to rush out a patch. "They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote on the Full Disclosure security mailing list last Friday. "I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."
Other researchers noted Oracle's turnaround today. "So it turns out that Oracle can actually patch Java in less than a week! Funny how vendors only care to do this after full-disclosure," said noted browser researcher Alexander Sotirov, also on Twitter.
Yesterday, Roger Thompson, AVG Technologies' chief research officer, revealed that hackers were already using Ormandy's proof-of-exploit code to plant malware on unsuspecting users. A U.S.-based Web site, Songlyrices.com had been compromised by attackers, and was redirecting visitors to a Russian server feeding the Java attack as well as other exploits.
Later Wednesday, Songlyrics.com confirmed that one or more advertisements on its site had contained an IFRAME that was shunting users to the Russian attack site. "It appears our ad server, OpenX, was hacked into," said Dan O'Brien of SoundMedia, the company that operates Songlyrics.com. OpenX is a free, open-source ad server.
"Our OpenX version was upgraded in March last year, but there has been a new release since," O'Brien continued. "We have removed all the OpenX ads on SongLyrics.com until we can get everything fixed."
According to Thompson, users running Microsoft's Internet Explorer (IE) or Mozilla's Firefox browser with the Java plug-in installed are vulnerable to attacks using Ormandy's exploit code. Google's Chrome, however, is probably safe.
Java SE 6 Update 20 can be downloaded from Oracle's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!