Java 0day infects songlyrics.com @ AskWoody.com

Java 0day infects songlyrics.com

Posted on April 15th, 2010 at 06:05 woody 15 comments

On April 9, Travis Ormandy wrote about a 0day hole in Java. It’s amazingly easy to exploit. Sun didn’t take him seriously:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

Now comes word that a very popular Web site, songlyrics.com, has been serving up ads that are infected with that specific 0day. The ads feature rogue antispyware applications from Russia.

Thank you, Sun.

UPDATE: Brian Krebs reports that there’s a new version of Java out. I suggest you wait and have it installed automatically: Ryan Naraine discovered that if he installed it manually, Sun oh-so-helpfully offered to install the Bing Toolbar – another piece of crapware from Microsoft – and the installer goes so far as to offer the Bing Toolbar by default.

Open question: is Sun turning into the next Apple?

Other Java 0day, rogue antivirus, songlyrics.com
15 responses to “Java 0day infects songlyrics.com”
1. rc primak April 15th, 2010 at 13:59
  
  Now that we know all of this, what do we non-technical Windows users do? I have no idea what the mitigation suggestions are talking about.
2. woody April 15th, 2010 at 20:45
  
  RC -
  
  For now, all you can do is avoid songlyrics.com. But keep your ear to the ground for news of infected sites. This is a real one – not a sky-is-falling-chicken-little exercise.
3. Herb Rubin April 15th, 2010 at 23:02
  
  Are particular forms of malware being distributed that the virus and spyware programs can handle, or is this a more general problem?
  
  And, is there a way of determining if a site uses Java so as to avoid it for the while?
  
  thanks
4. Jordan April 16th, 2010 at 01:00
  
  Supposedly, Java released 1.6.0_20 today which fixes the hole.
  
  http://www.securityfocus.com/bid/39346/solution
5. Russell April 16th, 2010 at 04:46
  
  Just released 3 hours ago:
  
  Java Downloads for All Operating Systems
  Recommended Version 6 Update 20
6. woody April 16th, 2010 at 06:28
  
  Herb -
  
  Looks like they’re going after rogue programs, so AV software (like Microsoft Security Essentials) should be at least partially effective. There are ways to turn off Java, but no way to know in advance if a page uses Java, as far as I know.
7. Marty April 16th, 2010 at 11:17
  
  Woody,
  
  I’m surprised that you recommend that Java do automatic updates (I don’t like to have *any* programs doing that, and you certainly don’t recommend such a policy with Microsoft). In the recent past when I’ve done Java manual updates, the Yahoo Toolbar was marked by default to install as well. So your report that Bing is now in that favored position comes as no surprise. As always, caveat emptor.
8. woody April 16th, 2010 at 20:06
  
  Marty -
  
  Good point. The problem with Java (and Flash) is that they rev so frequently, it’s very hard to keep up with the good patches and the bad patches. Still, you’re absolutely right. I’ll re-consider what I’ve been saying about auto updating with both…
9. rc primak April 17th, 2010 at 04:26
  
  Getting the update tonight. This seems to patch the vulnerability, so folks don’t have to throw out the Java baby with the bathwater, as suggested by Windows Secrets columnist Robert Vamosi.
10. rc primak April 17th, 2010 at 09:44
  
  Actually, that Toolbar Java tries to install is still the Yahoo Toolbar. I hate sneakware!
11. Connor April 17th, 2010 at 23:59
  
  For those that don’t have the new update of Java, Firefox will automatically disable it due to security vulnerabilities (just like it did with the Windows Presentation Foundation hole). I have it installed on my desktop computer, but not my mom’s laptop.
12. rc primak April 19th, 2010 at 02:25
  
  @Connor –
  
  Not true. My FF 3.6.3 left the old Update 19 of both plug ins (JDK and Java) intact and enabled. I had to manually disable both for every computer user. But Update 20 is successfully running on my laptop with no apparent problems.
  
  I should’ve taken bets on how soon Java.com would relent and do this one. Could’ve made a fortune!
13. sethness April 25th, 2010 at 00:55
  
  Woody said, “Ryan Naraine discovered that if he installed it manually, Sun oh-so-helpfully offered to install the Bing Toolbar – another piece of crapware from Microsoft”.
  
  This is a nasty trend that really deserves our attention…and a swift, powerful, kick to the center-of-gravity from consumer groups.
  
  From freeware such as Comodo’s firewall to expensive software coming bundled with nVidia’s pricey video cards, a distressing number of programs now
  - change your homepage to something like ask.com
  - change your default search engine to Ask, Yahoo, MyWebSearch, or even Google
  - place often difficult-to-remove icons on your desktop for eBay and other sites
  - install crapware/privacy-killing toolbars.
  These sneakily installed pieces of unwanted cr*p almost always have no function related to the program we’re consciously installing.
  
  In some cases, the contradiction is tragic and laughable. Comodo, the firewall/antivirus/antimalware application, is supposed to protect us from this type of malware…yet installs this malware as Comodo installs itself.
  
  How forewarned are we? We’re not. CNet’s download.com page for Comodo Internet Security, for example, makes no mention of these parasitic riders. CNet even declares all its downloads “certified spyware free” and touts “more popular privacy software” at the bottom of this particular page. On this page the publisher’s description declares “Comodo Internet Security is the free, multi-layered security application that protects your computer against internal and external attacks from viruses, Trojans, worms, buffer overflows, spyware and hackers. Built from the ground upwards with your security in mind, ….”The ironic horror of an anti-trojan package that is itself a trojan is, laughably, not apparent to them.
  
  Check it out: There is no notification prior to mid-installation to let you know that Comodo Internet Security, this supposed protector has a little alien baby that will shortly burst out of Comodo’s chest:
  http://download.cnet.com/Comodo-Internet-Security/3000-2144_4-10460704.html
  
  Many of these add-on toolbars, such as GOogle’s and Alexa’s toolbars, are in fact spyware. They monitor which sites you visit in order to judge the popularity of those sites…and to create a marketing database of Internet user profiles similar to the controversial one created and used by Google’s AdSense.
  
  In some cases, we’re not told anything, or the warning is buried on the 16th page of a EULA written in ALLCAPS and readable only a small paragraph at a time. In other cases, we’re told that a toolbar will be automatically installed, but we can “go into Control Panel > Add/Remove Programs” to remove it later. In still other cases, during the manual installation procedure we’re shown a picture of a toolbar and presented with a series of pre-checked boxes and a menu: “accept EULA for this free toolbar”, “make ask.com my homepage”, “change my default search engine to uselesswankers.com”, and “receive an exciting newsletter about product updates and deals from our trusted business partners”.
  
  By choosing automatic installations such as the “express” videocard driver installation supplied with high-end nVidia video cards, you’re NEVER told that along with essential video drivers, you’re also receiving an unwelcome toolbar/search engine/homepage. Personally, I feel a rising, boiling bile in my throat when I consider that I’ve paid hundreds of dollars for a video card, only to have those (*#@$& sneak in a parasitic piece of crapware / malware.
  
  A list of other programs that contain little trojan/alien crapware/malware jockeys includes:
  CCleaner, FoxIt PDF reader (contains a toolbar of its own making), XP Anti-Spy, CPU-Z’s CPU-ID, IE8 “optimized for Google”, various Microsoft programs, and Yahoo! Messenger.
  
  Call it trojans, call it a wave of parasitic malware, or be charitable enough to call it parasitic sneaky crapware. Whatever name we tack onto this rising pile of trash, it’s something that we need to actively discourage and raise awareness about.
  
  Whenever you discover one of these parasites hidden in an installation routine, WRITE to the author of the host software, and let him know that you’ll be actively looking for a sneakware/crapware/trojan-free alternative to his software. Write a letter to the editor of your favorite PC magazine or online PC advice site. Kick some shins, or aim higher.
14. WAP-Tek November 3rd, 2010 at 14:04
  
  the java update should have not done this
  but the bing toolbar is now “infecting”
  %40 of the systems i administrate
  
  we are contractualy forbidden
  to have any MS code in house and
  due to this contract violation with them ,
  our leagal department is telling us that
  tomorrow we will be taking legal action
  and disabling uninstalling all
  Sun Microsystems, Oracle and java
  branded software and hard ware,
  so we can justify not paying them
  this next quarter ,,, GFD!!!!
15. Mordechai (Morty) Schiller June 12th, 2011 at 22:18
  
  Woody,
  I just got a Java Update notice in my taskbar (Win XP Pro, Version 5.1.2600 Service Pack 3 Build 2600). For some reason, this time I decided to click for more information. And it said to remove all older versions first. If I don’t, it’s a security hazard. Aren’t 21st century programs supposed to know how to remove older versions?
  
  I never knew about this and I had four old versions hiding in the back of the closet! Gack!
  
  Morty
Leave a reply

Name (required)

Mail (will not be published) (required)

Website