Wednesday, April 14, 2010

Java Zero-Day Attacks In The Wild

Via -

Just days after Google researcher Tavis Ormandy released details on a dangerous new Java vulnerability, malicious hackers have pounced and are exploiting the flaw in the wild to launch drive-by download attacks.

Virus hunters have spotted the attacks on a popular song lyrics Web site. Any visitor to that Web site with the Java Plugin for Browsers installed (Internet Explorer or Firefox) will get infected with malware.

According to AVG's Roger Thompson, the attacks are likely to spread because of the simplicity in launching a successful exploit:
The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days later, we're detecting that code at an attack server in Russia.

The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others.
As of 12:00 noon EST today (Wednesday April 14), the song lyrics site was still launching the drive-by downloads.

I have confirmed the infective site is also launching exploits targeting at least three Adobe Reader vulnerabilities.

The appearance of in-the-wild attacks will hopefully force Oracle Sun to issue an emergency patch to fix this critical issue. When Google's Ormandy reported the issue and warned of the severity, Sun declined to issue a prompt fix.


The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the Java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.


Personally, I feel that Oracle/Sun should have already come out with an official statement on the issue...if only to inform and advise their customers on the serious problem and to lay out official mitigation techniques.

While it might remain unanswered now, the question of why Sun didn't take the private advisory from Ormandy more seriously in the first place will have to ultimately have to be asked....

No comments:

Post a Comment