As expected, virus writers now are actively exploiting a zero-day Sun Java vulnerability to infect Windows computers through drive-by downloads.
First signs of the forecasted malware barrage came Wednesday, when security researchers noticed a music lyrics website hosting the exploit.
“The code involved is really simple, and that makes it easy to copy, so it’s not surprising that just five days [after the vulnerability was publicly revealed], we’re detecting that code at an attack server in Russia,” Roger Thompson, chief research officer of security firm AVG, said Wednesday in a blog post.
He said pages for singers Rihanna, Lady Gaga and Miley Cyrus lyrics are being leveraged to perpetrate the attack. Users can be hit simply by visiting the infected sites.
If users are tricked into visiting a malicious website containing the exploit, attackers can run arbitrary code on victim machines, the advisory said.
Ormandy, in a post on the Full Disclosure mailing list, said the vulnerability is easy to exploit.
“The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited,” he said. “The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor.”
Thompson predicted that the exploit will become more widespread in the coming days. As a result, he said Sun, now owned by Oracle, must issue an out-of-band patch for the issue. But Ormandy said he contacted Sun about the bug and was told it did not meet the severity level to warrant an out-of-cycle fix.
Sun Solaris products are now patched quarterly as part of Oracle’s security update, the most recent of which was delivered Tuesday and did not include a fix for the flaw.
A Sun spokesperson did not immediately respond to a request for comment.
As users await a fix, Thompson suggested they apply workarounds described by Ormandy in his post.