Unpatched Java hole exploited at lyrics site

Researchers say vendor should issue a patch for the flaw in Java Web Start before more attacks come.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read


An unpatched hole in Java was being exploited to target visitors to a song lyrics Web site and more attacks are likely, researchers warned on Wednesday.

The flaw in Java Web Start, disclosed last week by several security researchers, affects Windows systems running Firefox and Internet Explorer, said Roger Thompson, AVG chief research officer. He said he couldn't get it to work on Chrome though, despite reports that it does.

Thompson found exploit code for both the Java hole and one in Adobe Reader on servers in Russia that was triggered by computers visiting English-language site Songlyrics.com. The site was later cleaned up, he said.

Basically, when a visitor surfed to the site a malicious iFrame inside one of the ads on the page automatically directed the computer to the server hosting the exploits, without the visitor having to click on the ad, Thompson said in an interview.

One of the exploits popped up the Adobe Reader terms of use window and the other reached out to another server to grab a malicious Java file, he said. (Ryan Naraine at CNET sister site ZDNet says he confirmed that the site was launching at least three exploits targeting Adobe Reader.)

If Thompson had been using an unpatched version of Reader that part of the attack could have worked, he said. Meanwhile, the Java file with the payload for downloading malware was offline, so he's not sure what would have happened if the attack had been successful. He suspects the payload would have installed a back door.

"This could have been a test," he said, adding that he expects to see more exploits in-the-wild targeting the Java hole soon.

"The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days later, we're detecting that code at an attack server in Russia," Thompson wrote in a blog post.

"The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others," he said. "Of course, this'll soon likely be everywhere, so Sun will need to issue an out of band patch."

Java Web Start was added to Java 6 as a feature to give developers a way to execute programs on computers of Web surfers, but that has turned out also to be an aid to attackers, Thompson said.

"This vulnerability is particularly nasty because it's a logic or design bug, and not your typical buffer overflow," said Marc Maiffret, chief security architect at FireEye. "That means the exploit is more reliable and works across multiple browsers."

Maiffret predicted that major exploit toolkits, which provide easy ways for people to launch attacks without having to write their own code, will be updated to include the Java exploit, especially given that there is no patch for it.

Tavis Ormandy, a Google engineer who disclosed the problem last week, said he contacted Sun but was told that the issue was not important enough to rush a patch out for it. Oracle, which recently acquired Sun, had its quarterly security update on Tuesday, which coincided with updates from Microsoft and Adobe, so a patch for this Java issue may not come until July.

"It's just a gaping hole for anyone who has Java," Maiffret said. "Waiting three months is ridiculous. This is such a critical bug you have to go out of cycle." Representatives at Oracle did not respond to a phone call and e-mail seeking comment on Wednesday.

Thompson suggested that Windows users install LinkScanner to protect their computers against sites hosting malware and to follow the mitigation strategy provided by Ormandy.