Oracle issues emergency Java patch to stop zero-day attacks
Quashes bug being used by hackers to install attack code
Computerworld - Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software.
The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.
Oracle's patch appears quick and dirty, Ormandy said. "They've completely removed the vulnerable feature, literally replaced with 'return 0,'" he said on Twitter.
The company noted as much in the advisory that accompanied the update. "A Java Network Launch Protocol (JNLP) file without a codebase parameter, such as the following, will no longer work with the Java SE 6 update 20 release," said Oracle. "This means that developers must specify the codebase parameter in a JNLP file."
Although Ormandy reported the flaw to Oracle before going public, he said the company declined to rush out a patch. "They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote on the Full Disclosure security mailing list last Friday. "I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."
Other researchers noted Oracle's turnaround today. "So it turns out that Oracle can actually patch Java in less than a week! Funny how vendors only care to do this after full-disclosure," said noted browser researcher Alexander Sotirov, also on Twitter.
Yesterday, Roger Thompson, AVG Technologies' chief research officer, revealed that hackers were already using Ormandy's proof-of-exploit code to plant malware on unsuspecting users. A U.S.-based Web site, Songlyrices.com had been compromised by attackers, and was redirecting visitors to a Russian server feeding the Java attack as well as other exploits.
Later Wednesday, Songlyrics.com confirmed that one or more advertisements on its site had contained an IFRAME that was shunting users to the Russian attack site. "It appears our ad server, OpenX, was hacked into," said Dan O'Brien of SoundMedia, the company that operates Songlyrics.com. OpenX is a free, open-source ad server.
"Our OpenX version was upgraded in March last year, but there has been a new release since," O'Brien continued. "We have removed all the OpenX ads on SongLyrics.com until we can get everything fixed."
According to Thompson, users running Microsoft's Internet Explorer (IE) or Mozilla's Firefox browser with the Java plug-in installed are vulnerable to attacks using Ormandy's exploit code. Google's Chrome, however, is probably safe.
Java SE 6 Update 20 can be downloaded from Oracle's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!