As expected, virus writers are now actively exploiting a zero-day Sun Java vulnerability to infect Windows computers through drive-by downloads.
First signs of the forecasted malware barrage came yesterday, when security researchers noticed a music lyrics website hosting the exploit.
"The code involved is really simple, and that makes it easy to copy, so it's not surprising that just five days [after the vulnerability was publicly revealed], we're detecting that code at an attack server in Russia," Roger Thompson, chief research officer of security firm AVG, said in a blog post.
He said pages for singers Rihanna, Lady Gaga and Miley Cyrus lyrics are being leveraged to perpetrate the attack. Users can be hit simply by visiting the infected sites.
The flaw, first reported by researchers Tavis Ormandy and Ruben Santamarta in separate disclosures, involves the Java Deployment Toolkit browser plug-in failing to properly validate parameters, according to a Secunia advisory. This can allow attackers to execute a JAR (Java Archive) file "on a network share in a privileged context".
If users are tricked into visiting a malicious website containing the exploit, attackers can run arbitrary code on victim machines, the advisory said.
Ormandy, in a post on the Full Disclosure mailing list, said the vulnerability is easy to exploit.
"The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited," he said. "The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor."
Thompson predicted that the exploit will become more widespread in the coming days. As a result, he said Sun, now owned by Oracle, must issue an out-of-band patch for the issue. But Ormandy said he contacted Sun about the bug and was told it did not meet the severity level to warrant an out-of-cycle fix. Sun Solaris products are now patched quarterly as part of Oracle's security update, the most recent of which was delivered this week and did not include a fix for the flaw.
A Sun spokesperson did not immediately respond to a request for comment.
As users await a fix, Thompson suggested they apply workarounds described by Ormandy in his post.
See original article on scmagazineus.com