Just days after Google researcher Tavis Ormandy released details on a dangerous new Java vulnerability, malicious hackers have pounced and are exploiting the flaw in the wild to launch drive-by download attacks.
Virus hunters have spotted the attacks on a popular song lyrics Web site. Any visitor to that Web site with the Java Plugin for Browsers installed (Internet Explorer or Firefox) will get infected with malware.
According to AVG’s Roger Thompson, the attacks are likely to spread because of the simplicity in launching a successful exploit:
The code involved is really simple, and that makes it easy to copy, so it’s not surprising that just five days later, we’re detecting that code at an attack server in Russia.
The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others.
[ SEE: Serious New Java Flaw Affects All Current Versions of Windows ]
As of 12:00 noon EST today (Wednesday April 14), the song lyrics site was still launching the drive-by downloads.
I have confirmed the infective site is also launching exploits targeting at least three Adobe Reader vulnerabilities.
The appearance of in-the-wild attacks will hopefully force Oracle Sun to issue an emergency patch to fix this critical issue. When Google’s Ormandy reported the issue and warned of the severity, Sun declined to issue a prompt fix.
Ormandy laments:
Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.
For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.
“The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor,” Ormandy explaned.
The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.
“These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page,” Santamarta warned.
The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the Java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.
