Hackers exploit new Java zero-day bug
Song lyrics site redirects users to Russian attack server, which attacks IE, Firefox users
Computerworld - Just five days after a Google researcher published information of an unpatched Java bug, a compromised song lyrics site is sending users to a Russian attack server exploiting the flaw to install malware, an antivirus firm said today.
Last Friday, Google's Tavis Ormandy posted details of the Java vulnerability to the Full Disclosure security mailing list, spelling out how attackers could run unauthorized Java programs on a victim's machine by using a feature designed to let developers distribute their software. According to Ormandy, all versions of Java for Windows since SE 6 update 10 -- which debuted two years ago -- are vulnerable. Other operating systems running Java are unaffected, he said.
Roger Thompson, chief research officer at AVG Technologies, said Songlyrics.com was unwittingly redirecting users to a Russian attack server feeding Ormandy's exploit to victims.
Songlyrics.com includes an IFRAME that shunts visitors to the Russian site, where users are subjected to assault from both Ormandy's exploit as well as a larger-scale exploit toolkit. "Typically, they throw a whole bunch [of exploits at victims] at once and see what sticks," said Thompson via instant message, talking about the multi-stage attack that includes the Java exploit.
Songlyrics.com, which provides lyrics for tracks by the likes of Lady Gaga, Rihanna, Usher and Miley Cyrus, was apparently compromised by hackers, who added the redirecting IFRAME to the site, said Thompson. E-mails to the site's administrator have gone unanswered, he added.
Windows users running Microsoft's Internet Explorer (IE) and Mozilla's Firefox are at risk if they have the Java browser plug-in installed. "Chrome seems to be safe, but that's not guaranteed," Thompson said.
That hackers quickly jumped on the Java bug didn't shock him. "The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days later, we're detecting that code," Thompson said, referring to the attack code Ormandy published on the mailing list. He also figures that others will rapidly follow suit. "It's so easy to use and copy that I would expect that it'll be in the [exploit tool]kits in a few days."
Although Ormandy reported the flaw to Sun -- now part of Oracle -- he said the company declined to rush out a patch. "They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote on the mailing list. "I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."
Oracle patched Java last week; its next regularly-scheduled update is slated for July.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast Best Practices: How to Improve Business Continuity with Virtualization VMware solutions include a range of business continuity capabilities to help ensure availability for applications across your virtualized environment. Learn More>>
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts