Oracle issues emergency Java patch to stop zero-day attacks
Quashes bug being used by hackers to install attack code
Computerworld - Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software.
The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.
Oracle's patch appears quick and dirty, Ormandy said. "They've completely removed the vulnerable feature, literally replaced with 'return 0,'" he said on Twitter.
The company noted as much in the advisory that accompanied the update. "A Java Network Launch Protocol (JNLP) file without a codebase parameter, such as the following, will no longer work with the Java SE 6 update 20 release," said Oracle. "This means that developers must specify the codebase parameter in a JNLP file."
Although Ormandy reported the flaw to Oracle before going public, he said the company declined to rush out a patch. "They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote on the Full Disclosure security mailing list last Friday. "I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."
Other researchers noted Oracle's turnaround today. "So it turns out that Oracle can actually patch Java in less than a week! Funny how vendors only care to do this after full-disclosure," said noted browser researcher Alexander Sotirov, also on Twitter.
Yesterday, Roger Thompson, AVG Technologies' chief research officer, revealed that hackers were already using Ormandy's proof-of-exploit code to plant malware on unsuspecting users. A U.S.-based Web site, Songlyrices.com had been compromised by attackers, and was redirecting visitors to a Russian server feeding the Java attack as well as other exploits.
Later Wednesday, Songlyrics.com confirmed that one or more advertisements on its site had contained an IFRAME that was shunting users to the Russian attack site. "It appears our ad server, OpenX, was hacked into," said Dan O'Brien of SoundMedia, the company that operates Songlyrics.com. OpenX is a free, open-source ad server.
"Our OpenX version was upgraded in March last year, but there has been a new release since," O'Brien continued. "We have removed all the OpenX ads on SongLyrics.com until we can get everything fixed."
According to Thompson, users running Microsoft's Internet Explorer (IE) or Mozilla's Firefox browser with the Java plug-in installed are vulnerable to attacks using Ormandy's exploit code. Google's Chrome, however, is probably safe.
Java SE 6 Update 20 can be downloaded from Oracle's site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts