/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: If you have visited www.songlyrics.com over the last few days, and if you have access lyrics of Lady gaga, Miley Cyrus or Rihanna tracks, chances are thet you would have a bug in your system by now.
The new trend of virus writers actively exploiting a zero-day Sun Java vulnerability to infect Windows computers through drive-by downloads, the exploit was traced to an attack server in Russia. The flaw, first reported by researchers Tavis Ormandy and Ruben Santamarta in separate disclosures, involves the Java Deployment Toolkit browser plug-in failing to properly validate parameters, according to a Secunia advisory issued after the exploit.
The failure of the plugin to launch allows attackers to execute a JAR (Java Archive) file on a network share in a privileged context. If users are tricked into visiting a malicious website containing the exploit, attackers can run arbitrary code on victim machines.
Interestingly, experts who tried to reach out to Oracle were apparently informed that the company did not see the issue as big enough a vulnerability to break their quaterly patch cycle. The fact of the matter is that the vulnerable toolkit provides only minimal validation of the URL parameter, allowing passage of arbitrary parameters to the Javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited.