Several security researchers have discovered a wave of drive-by attacks attempting to exploit a new Java zero-day vulnerability to serve up malware.
Proof-of-concept code was published April 9 by Google Engineer Tavis Ormandy, after the researcher was reportedly told by Sun Microsystems Inc. engineers that the issue wasn't serious enough to warrant an immediate fix. Ormandy published details of the Java flaw in a message at the Full Disclosure mailing list forum. The vulnerability affects all versions of Windows and has been confirmed on machines running Internet Explorer (IE) and Mozilla Firefox. In his message, Ormandy outlined several workarounds until a patch can be deployed.
"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor," Ormandy wrote. "Exploitation of this issue is not terribly exciting, but is potentially of high enough impact to merit explanation."
The issue is with the Java Webstart Framework (JavaWS), a plug-in and ActiveX control distributed with the Java Deployment Toolkit, installed by default in the Java Runtime Environment, Ormandy wrote. The toolkit is used to provide developers a way to easily distribute applications.
Roger Thompson, chief research officer of antivirus vendor AVG Technologies Inc., said the drive-by attacks, which surfaced this week, were discovered on a song lyrics publishing site. When a visitor attempted to view lyrics by music stars Rihanna, Usher, Lady Gaga and Miley Cyrus, attack code scans the victim's machine in an attempt to find and exploit the error, among others. Thompson said.
"The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days later, we're detecting that code at an attack server in Russia," Thompson said.
Sun Microsystems, which maintains Java, was acquired by Oracle Corp. in January. Oracle issued an update this week as part of its quarterly patch cycle, which included a Sun Java update. The issue was not addressed in the latest update. The company did not return a request for comment.
The Java issue was first reported last week by Dennis Fisher of ThreatPost.com.
Ruben Santamarta, security researcher and reverse engineer with Spain-based security firm Wintercore, also wrote about the flaw in an advisory that warned that the bug could allow remote execution. As a workaround, Santamarta urged users to disable javaws.exe in Windows.