Oracle Java Application Drive-By Web Attack

Written by: Carolyn Guevarra

Background of the Attack

A vulnerability in the Oracle's Java application, Java Deployment Toolkit (JDT), was spotted by two security researchers and was publicly disclosed on April 9, 2010. Although the said vulnerability has already been identified in 2008, Oracle did not deem it as highly critical to release an out-of-band patch. Following the public disclosure, however, were reports of an attack that exploited this vulnerability. This attack targeted songlyrics.com, a website that hosts song lyrics of popular music artists. This led Oracle to finally release of an out-of-band patch through an updated version of Java.


How does this threat get into users' systems?


The JavaScript exploit detected as JS_WEBSTART.A may be hosted on a website. It is downloaded onto a system via a drive-by download and is executed when the user unwittingly accesses a malicious website. The website hosts song lyrics of popular artists like Miley Cyrus, Lady Gaga, and Rihanna and was compromised through the insertion of an iframe tag that redirects users to a malicious URL where the exploit is hosted.


How does this threat affect users?


JS_WEBSTART.A is a specially crafted JavaScript file that takes advantage of a vulnerability in Oracle’s Java application. It runs a malicious Java applet detected as JAVA_WEBSTART.A. The script connects to a URL where the applet is hosted. The malicious Java applet then attempts to download a possibly malicious file, which poses a threat to users, as malicious routines of the downloaded file may then be exhibited on their systems.


What is the driving force behind this threat?


Ultimately, this threat aims to download other malicious files onto affected systems, allowing them to become a launchpad for other malware attacks. It exposes the user to a variety of potential threats that can be silently installed on a system without users' knowledge. These threats may be backdoor programs that allow remote attackers to take control of users' systems, information-stealing Trojans that steal sensitive data from affected systems, or bots that make the systems part of a network of zombie computers under the control of cybercriminals.


How can users protect themselves from this attack?


Oracle released an updated version of Java to address the vulnerability that this threat exploits. Users should upgrade their Java applications to this version to prevent their systems from being compromised. More importantly, users should practice safe online browsing habits by disabling browser scripting and by avoiding downloadable applications from untrustworthy sources.


Trend Micro protects users from this attack via the Smart Protection Network™, which blocks access to malicious URLs that this threat connects to via the Web reputation service. It also detects and prevents the execution of all malware related to this attack via the file reputation service. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF rule number 1004091.