Song Lyrics Site Serving Attack Code

2010-04-14

The Register is reporting that a popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle's Java virtual machine, which is installed on hundreds of millions of computers worldwide.

The site 'songlyrics.com' is said to be serving up javascript that invokes a weakness disclosed by Tavis Ormandy last week. Ormandy and fellow researcher Ruben Santamarta discovered a flaw in the latest version of Oracle's Java runtime environment that attackers can exploit to remotely execute malicious code on the end users machine. An article states that both researchers stressed the ease in which attackers can exploit the bug using a website that silently passes malicious commands to various Java components that jump-start applications in Internet Explorer, Firefox, and other browsers. Ormandy alerted Java handlers at Oracle's recently acquired Sun division but was told that they do not consider the vulnerability of high enough priority to break their quarterly patch cycle.

AVG Technologies Chief Research Officer Roger Thompson, who discovered the in-the-wild attack has said that songlyrics.com appears to be compromised by attackers for the purpose of exploiting the Java vulnerability, stating that people should stay away from the website. The bug in the Java Web Start component has been confirmed exploitable on all recent versions of Windows by Ormandy and fellow researcher Ruben Santamarta of Spain-based security firm Wintercore. The latter researcher said a related flaw potentially affects Linux users as well.