Oracle today patched a critical Java vulnerability that is being exploited by hackers to install malicious software. The security update to Java SE 6 Update 20 patches a bug disclosed last Friday by Google security researcher Tavis Ormandy, who spelled out how attackers could run unauthorised Java programs on a victim's machine by using a feature designed to let developers distribute their software. Only systems running Windows are at risk.
Oracle's patch appears quick and dirty, Ormandy said. "They've completely removed the vulnerable feature, literally replaced with 'return 0,'" he said on Twitter.
The company noted as much in the advisory that accompanied the update. "A Java Network Launch Protocol (JNLP) file without a codebase parameter, such as the following, will no longer work with the Java SE 6 update 20 release," said Oracle. "This means that developers must specify the codebase parameter in a JNLP file."
Although Ormandy reported the flaw to Oracle before going public, he said the company declined to rush out a patch. "They informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle," Ormandy wrote on the Full Disclosure security mailing list. "I explained [to them] that I did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available."
Other researchers noted Oracle's turnaround today. "So it turns out that Oracle can actually patch Java in less than a week! Funny how vendors only care to do this after full-disclosure," said noted browser researcher Alexander Sotirov, also on Twitter.
Yesterday, Roger Thompson, AVG Technologies' chief research officer, revealed that hackers were already using Ormandy's proof-of-exploit code to plant malware on unsuspecting users. A US-based website, Songlyrics.com had been compromised by attackers, and was redirecting visitors to a Russian server feeding the Java attack as well as other exploits.
Songlyrics.com confirmed that one or more advertisements on its site had contained an IFRAME that was shunting users to the Russian attack site. "It appears our ad server, OpenX, was hacked into," said Dan O'Brien of SoundMedia, the company that operates Songlyrics.com. OpenX is a free, open source ad server.
"Our OpenX version was upgraded in March last year, but there has been a new release since," O'Brien continued. "We have removed all the OpenX ads on SongLyrics.com until we can get everything fixed."
According to Thompson, users running Microsoft's Internet Explorer (IE) or Mozilla's Firefox browser with the Java plug-in installed are vulnerable to attacks using Ormandy's exploit code. Google's Chrome, however, is probably safe.
Java SE 6 Update 20 can be downloaded from Oracle's site.