Java zero-day flaw under active attack

Java zero-day flaw under active attack

Summary: Virus hunters have spotted the attacks on a popular song lyrics Web site. Any visitor to that Web site with the Java Plugin for Browsers installed (Internet Explorer or Firefox) will get infected with malware.


Just days after Google researcher Tavis Ormandy released details on a dangerous new Java vulnerability, malicious hackers have pounced and are exploiting the flaw in the wild to launch drive-by download attacks.

Virus hunters have spotted the attacks on a popular song lyrics Web site.  Any visitor to that Web site with the Java Plugin for Browsers installed (Internet Explorer or Firefox) will get infected with malware.

According to AVG's Roger Thompson, the attacks are likely to spread because of the simplicity in launching a successful exploit:

The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days later, we're detecting that code at an attack server in Russia.

follow Ryan Naraine on twitter

The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others.

As of 12:00 noon EST today (Wednesday April 14), the song lyrics site was still launching the drive-by downloads.

I have confirmed the infective site is also launching exploits targeting at least three Adobe Reader vulnerabilities.

[ SEE: Sun Java flaw exposes Windows users to dangerous Web attacks ]

The appearance of in-the-wild attacks will hopefully force Oracle Sun to issue an emergency patch to fix this critical issue.  When Google's Ormandy reported the issue and warned of the severity, Sun declined to issue a prompt fix.

Ormandy (right) laments:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

“The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor,” Ormandy explaned.

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.

“These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page,” Santamarta warned.

The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the Java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

Topics: Software Development, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "...all versions since Java SE 6 update 10 for Microsoft Windows." Hmm...

    Why is it that windows must always have a say in most, if not all, active successful attacks?
    Great Kahuna
    • Why Microsoft Windows...

      yeah, it's aggravating, BUT, you have to
      consider that over 90% market is a rather BIG
      target...if the miscreants are "creative",
      there could be other platforms affected at
      some point. Sheesh...back to DOS, hehe!
      • Your math doesn't add up. Let's put it other way:

        For the sake of argument let us assume that desktop Linux has a 1% market share. Then to be on par with the rest of the market it should account for 1% of all desktop vulnerabilities.

        But it does not, it accounts for only an infinitesimal percentage of all vulnerabilities. The ratio of Linux market share to vulnerabilities is a very big number while that of windows is roughly 0.9!

        How do you explain that?
        Great Kahuna
        • Nothing to explain...

          let's say your a bored Russian teen, and
          you've been approached by someone to grab
          a few hundred thousand credit/debit card
          numbers. You look at the potential targets,
          you see Windows, Macintosh, Linux, BeOS,
          AIX, Solaris, etc. You've also read the
          stats, and there is no end to published
          exploits and example codes available for
          1 or 2 platforms...who do you aim at?
          Aiming for Linux...crapshoot at best with
          all the different distributions...AIX,
          those servers are "usually" well administered,
          BeOS, Solaris ditto. Macintosh...possible
          target...but those Windows machines, so
          many...if you "shotgun" your malware at say
          100,000 machines, and get a 1% "success"
          ratio, that's how many? 1,000 compromised.
          That's a lot for minimal effort.
          If Linux has 1% of the "marketplace", and you
          might get a 1% return...minimal return for
          a lot more work.
          • Still it does not add up.

            Attacks are carried through the Web, where the OS is pretty much irrelevant. When you prepare to launch an attack you select a vulnerability to exploit not a target OS.

            Yes, there's published Linux vulnerabilities but when attackers try to use them in an exploit they find so many hurdles in their way that they quit because they will never be able to make it work in a real situation.

            Then they choose an easier exploit which, surprise, will work just fine in windows.
            Great Kahuna
        • Bad assumption on your part

          I explain that by saying you've made bad assumptions.

          Assumption #1: there is a direct 1:1 correlation of OS market share to vulnerability count. Are folks trying as hard to break Linux as they are Windows, and are there proportionally as many of them?

          Assumption #2: Sun, a Unix stalwart, by virtue of providing Java for Windows inherits Windows' propensity for vulnerabilities. Are you kidding?

          Assumption #3: Linux has few vulnerabilities based on an unknown truth that there are actually few vulnerabilities. How could you prove that? How many could be lurking because no one is working hard to find them?

          Nothing against Linux - I use it everyday as well as Windows. And I'll tell you that Linux, in and of itself, is not as user friendly as Windows, hence I assume Linux developers are much less talented as Windows developers in providing usable products and interface.

          How do you explain that?
          Old Techie
          • User friendliness depends on the user

            I don't see windows as user friendly at all, quite the contrary.

            I hate Windows because when I used it it kept getting in my way of doing things constantly imposing its own ways on me. Not friendly at all, windows had no respect for me, not friendly at all.

            Now Linux is what I call a user friendly OS because it lets me customize it to my heart's content. It accepts my choices and respects them.

            That what I need in a friend: <b>respect</b>!!!
            Great Kahuna
          • WHY!!!

            More like a trick cyclist than respect old my we are full of ourselves tonight is it your bedtime yet?
            Richard Turpin
          • Some of us value freedom of choice

            Apparently some of you don't.
            Great Kahuna
          • User friendliness..

            is in the eye of the end user. Many of my Linux clients (who used to be windows users, btw) would wholeheartedly disagree with you. System maintenance is one huge issue with so called "user friendliness". Look at what you have to deal with in windows; keeping the registry clean, running anti-virus and spyware scanners constantly, constantly rebooting after updates, defragging etc. Sure these are typically automated, however the average user (mom and pop computer user) has not a clue on how to even set this mess up to start with. Most barely know how to turn their computers on.

            I did an experiment not too long ago with a few older folks who rarely ever use a computer and put Mepis and PCLinuxOS on their machines. These folks ran it for a month then ran windows for a month. Guess what? Linux was less of a hassle for them.

            My point is, it depends on what the computer is being used for, (in Linux) the type of distro, the savvy of the end user, etc. Blanket statements like "Linux, in and of itself, is not as user friendly as Windows" just doesn't fly. The right tool for the right job.
        • Hackers target the big guy

          The big guy will also be the target. If it were the other way around and Linux had a 90% market share, then hackers would be targeting Linux. BTW, Great Kahuna, I guess you have a lot of time to monitor these groups and spout your linux propaganda since your are running an OS that can't run 99% of the software out there.
          • Your reasoning is seriously flawed, looks like you need a firmware upgrade.

            Too bad neurosurgery has not yet reached that level of sophistication.
            Great Kahuna
          • Actually it's your reasoning that's flawed...

            Windows is a much larger target, so the point of "more bang for the buck" being a target for this particular vulnerability is dead on.


            You, however, seem to have a serious grudge against Windows with a touch of that good old fashioned Linux inferiority complex.

            I'm not saying that Linux is inferior, I'm saying that folks who rally the Linux banner at every turn FEEL inferior (or perhaps like red-headed bastard step-children) and so have to scream and shout Linux off the rooftops at everyone, regardless of who's koolaid they've already consumed.

            You, sadly, appear to fall into that very same category. Except that your particular twist on that is "why isn't Linux good enough for virus writers?"

            If the day comes that Linux has more than a microscopic amount of desktops, hell, if Linux ever attains the percentage of Macs in the desktop space, I'm sure that the virus writers will turn around and start attacking Linux.

            As for attacking Mac owners, what's the point? They've already spent all their money on Mac equipment, so they're broke.
          • Boy, Are you deluded?

            Feeling inferior, huh?

            You're reading it all wrong, you urgently need to acquire some basic social skills.
            Great Kahuna
          • RE:Hackers target the big guy

            I really hate seeing terms misused!

            From Wikipedia:

            The terms "hack" and "hacking" are also used to refer to a modification of a program or device to give the user access to features that were otherwise unavailable, such as by circuit bending. It is from this usage that the term "hacking" is often incorrectly used to refer to more nefarious criminal uses such as identity theft, credit card fraud or other actions categorized as computer crime; there being a distinction between security breaking and hacking, a better term for security breaking would be "cracking".[1]

            Also from Wikipedia:

            The term achieved widespread use in the 1960s and its meaning then evolved to a quick, elaborate and/or bodged solution students devised for a technical obstacle; it was used with hacker, meaning one who discovers and implements a hack.

            It is truly terrible what some people do to the English language. Decimate to describe something being almost totally wiped out, for example, instead of being reduced by 10%. Or, my personal favorite, "pride goes before a fall" instead of the correct "pride goes before destruction and a haughty spirit before a fall"... Just drives me nuts.
          • Get over it

            Language is a living thing. It morphs with its usage. The general public, and even many nerds, geeks, etc. have long since stopped caring about the distinction between hacking and cracking.

            BTW, the most often heard phrase is "pride goeth before a fall".

            I hope, by decimating your point, I haven't driven you nuts, but then you must be there already.
          • RE:Get over it

            ...BTW, the most often heard phrase is "pride goeth before a fall"....

            That may be the phrase but it is not the way it was written. Unless it is a spelling issue. Depends on which version of the Bible you read it in. Kind of curious as to how you think you reduced my point by 10%, though. Anyway, if your posting on a tech forum and don't know the difference between hacking and cracking and don't care to know the difference it says something about you. Of course. given the level of discourse in these forums. one learns a lot more about posters than one cares to, don't you think?
        • Your premise fails

          Please explain the logic supporting your premise that there would/should be a 1:1 correlation between malware and market share.

          I would be amazed if .0001% of criminals would be stupid enough to expend the same effort to exploit an OS with even 5% market share, as they would to exploit the OS with over 90% market share. Where is the ROI in that?
          • By that logic Rolex should be out of business---

            since they are targeting a very small market.

            Hint: Niche marketing can be a very lucrative business, just ask Steve Jobs.
            Great Kahuna
          • More flawed logic; doesn't anyone think b4 posting

            Rolex is in business because they have identified a niche that is willing to pay more than most for their watches.

            Apple is in business because users were willing to pay more for more hand-holding.

            As someone has already mentioned, he likes Linux because it lets him configure his OS to his liking.

            Side note: therefore Linux and Apple are niches at opposite ends of the spectrum.

            By your logic, there would have to be much more value to steal from a typical Linux user (vs the typical Windows user) to justify the effort of pursuing victims in this niche market.

            That logic fails. My question still stands.

            Where is the ROI for spending even the same amount of effort to setup an exploit, when so few of the visitors to your site will become victims (regardless of how securely they did or did not setup their mini-market-share OS)?