Thursday, April 15, 2010

Emergency Java patch released, PATCH NOW

There have been reports that this flaw is already being exploited on at least one popular website.

As attacks surface, Sun ships sudden Java patch | Zero Day | ZDNet.com
In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.

The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.

The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I’ve been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.

Critical Java Vulnerability Exploited On Songlyrics.com | CyberInsecure.com
A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle’s Java virtual machine, which is installed on hundreds of millions of computers worldwide.

Java Patch Targets Latest Attacks — Krebs on Security
"Oracle Corp. has shipped a new version of its Java software that nixes a feature in Java that hackers have been using to foist malicious software.

Java 6 Update 20 was released sometime in the last 24 hours, and includes some security fixes, although Oracle’s documentation on that front is somewhat opaque. Most significantly, the update removes a feature that hackers have started using to install malware.

On Wednesday, a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to plant malicious software.

If you need Java for some specific reason, then by all means install this update. However, I have found that most users can happily do without this powerful and feature-rich program, which is fast becoming a popular vehicle for launching a range of attacks. More on that in a future post. Stay tuned.

System administrators and savvy home users who download the offline patch can update their computers more quickly by running the downloaded patch with the command-line switches "/passive /norestart". This turns the install into a start-it-and-forget-it event and avoids the need to click a bunch of [OK] and [Next] buttons. Incidentally, it also bypasses the attempt to install a toolbar into your browser. If you are curious about what command-line switches are available, run the patch with the command-line switch "/?".

No comments: