Oracle issues emergency Java patch to stop zero-day attacks
Quashes bug being used by hackers to install attack code
Computerworld - Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software.
The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.
Oracle's patch appears quick and dirty, Ormandy said. "They've completely removed the vulnerable feature, literally replaced with 'return 0,'" he said on Twitter.
The company noted as much in the advisory that accompanied the update. "A Java Network Launch Protocol (JNLP) file without a codebase parameter, such as the following, will no longer work with the Java SE 6 update 20 release," said Oracle. "This means that developers must specify the codebase parameter in a JNLP file."
Although Ormandy reported the flaw to Oracle before going public, he said the company declined to rush out a patch. "They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote on the Full Disclosure security mailing list last Friday. "I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."
Other researchers noted Oracle's turnaround today. "So it turns out that Oracle can actually patch Java in less than a week! Funny how vendors only care to do this after full-disclosure," said noted browser researcher Alexander Sotirov, also on Twitter.
Yesterday, Roger Thompson, AVG Technologies' chief research officer, revealed that hackers were already using Ormandy's proof-of-exploit code to plant malware on unsuspecting users. A U.S.-based Web site, Songlyrices.com had been compromised by attackers, and was redirecting visitors to a Russian server feeding the Java attack as well as other exploits.
Later Wednesday, Songlyrics.com confirmed that one or more advertisements on its site had contained an IFRAME that was shunting users to the Russian attack site. "It appears our ad server, OpenX, was hacked into," said Dan O'Brien of SoundMedia, the company that operates Songlyrics.com. OpenX is a free, open-source ad server.
"Our OpenX version was upgraded in March last year, but there has been a new release since," O'Brien continued. "We have removed all the OpenX ads on SongLyrics.com until we can get everything fixed."
According to Thompson, users running Microsoft's Internet Explorer (IE) or Mozilla's Firefox browser with the Java plug-in installed are vulnerable to attacks using Ormandy's exploit code. Google's Chrome, however, is probably safe.
Java SE 6 Update 20 can be downloaded from Oracle's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts