A recently unearthed feature that has been built into Java since Java 6 Update 10 allows developers to easily distribute their applications to end users.
Unfortunately – as Brian Krebs reports – it also allows criminals to remotely execute malicious code on the user’s computer, as has been proven by this week’s discovery of an in-the-wild attack that takes advantage of this feature to redirect the unsuspecting visitors of songlyrics.com to assetmancomcareers.com, a Russian website that serves an crimeware kit that bombards visiting browsers with exploits.
Tavis Ormandy, the Google researcher that discovered the vulnerability says that he notified Sun about it, but that they said they don’t plan to issue an out-of-band patch. Ormandy disagreed. “The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor,” he says, and published the discovery. He also included mitigation techniques in the document.
Users are advised not to visit either of the two sites, but the problem is that there could by now be lots of malicious sites taking advantage of the handy feature. It seems to me that Sun will have to react by issuing a patch, and soon.
UPDATE: As predicted, Sun issued the patch. According to ZDNet, Sun does not mention the disclosure or the attacks in the release notes accompanying the patch, but they have been able to confirm it does cover the flaw in question.