The Register® — Biting the hand that feeds IT

Feeds

Java code-execution vuln exploited in drive-by attack

A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle's Java virtual machine, which is installed on hundreds of millions of computers worldwide. The site, songlyrics.com, is serving up javascript that invokes the weakness disclosed last week by security …

This topic is closed for new posts.
Anonymous Coward
Grenade

D'oh!

brought to you by Oracle Corp.

Destroy All Monsters
Flame

Don't call now...

Larry is on a yacht in the middle of the Indian Ocean and can't be bothered.

Anonymous Coward
Anonymous Coward

Last Nail Into The Coffin

...of Browser-based Java.

I would have expected Larry to personally direct someone to fix this issue UNTIL NEXT MORNING 10:00.

Apparently the fix is clear - validate the input to the web start *.jar downloading mechanism. They could have added a config file that allows you to enable the old mechanism for selected source hosts, to be 100% sure end users can re-enable legacy apps.

As Oracle apparently has much more important priorites, I suggest they just throw away all the client-side java stuff. Users will disable it anyhow, now. Or not install Java after being hacked and having had to reinstall their PC.

I just removed Java for good from my machine.

Anonymous Coward
Anonymous Coward

Hrm..

Another job for noscript, or if possible, just not having f'king Java installed.

Lyle Dietz
FAIL

Research fail

"The vulnerability has existed since April 2008, when Sun introduced the Java Web Start feature in Java 6, update 10."

They introduced Web Start in Java 1.4, they updated it in 6u10. The question becomes, does this mean users of Java 5 are safe?

Nick FitzGerald
Reply Icon

Re: Research fail

"They introduced Web Start in Java 1.4, they updated it in 6u10. The question becomes, does this mean users of Java 5 are safe?"

Correct about initial release of JWS. The issue with 6u10, which introduced this "vulnerability by design" was that they made JWS more directly accessible, via the "Deployment Toolkit" ActiveX control (for IE) and the equivalent NPAPI plugin for (most) other browsers. This current exploit depends on the 6u10+ "improvement" in JWS functionality.

Adrian Esdaile
Troll

Maybe they could outsource...

to Adobe?

Adobe are perfect, and will sue anyone who says they aren't!

David 141
Badgers

Disable Java and JDT

Disabling Java _and_ the Java Deployment Toolkit plugin should work for Firefox.

Java isn't magic - Firefox can't handle JNLP without a plugin any more than it can handle Flash by itself.

Anonymous Coward
WTF?

java != javascript

"The site, songlyrics.com, is serving up javascript"

"Short of uninstalling Java altogether, it's not easy to prevent"

really? FF+NoScript wouldn't prevent it?

Anonymous Coward
Grenade
Reply Icon

javascript not required!

The vulnerability does not require javascript, plain html tags is enough...

GazElm
WTF?

What are oracle doing?

The security sandbox of Java is supposed to be one of its main selling points...

Pull your finger out and fix it, you bellends.

o2bearebel
Go

Why all the fuss ?

It's fixed and released. JRE 6u20 is out.

http://java.sun.com/javase/downloads/index.jsp

Anonymous Coward
FAIL

@Why all the fuss ?

First Oracle did not display a determination to fix the bug immediately. And according to some reports, it does NOT fix the issue:

http://www.heise.de/newsticker/meldung/Java-Luecke-Spiel-mir-das-Lied-vom-Trojaner-Update-978119.html

"Das Java-Update führt offenbar nicht in allen Fällen dazu, dass der bekannte Exploit nicht mehr funktioniert. Die Ursache ist derzeit unklar. Alternativ hilft es weiterhin, beim Internet Explorer das Killbit für das verantwortliche ActiveX-Control zu setzen, beispielsweise indem man folgenden Text in der Datei kill.reg speichert und die Datei dann doppelklickt:"

English: ..Apparently the fix does not always work...disable plugin with killbit....

This topic is closed for new posts.