Lyric Website Exploits Java Web Start Vulnerability
After Tavis Ormandy published a proof of concept on how to exploit a vulnerability in the Java Deployment Toolkit, Roger Thompson, chief research officer at AVG Technologies has announced that the code has been detected at an attack server in Russia.
Apparently, Songlyrics.com was unwittingly redirecting users to this attack server, which fed Ormandy’s exploit to victims, in addition to a larger-scale exploit toolkit.
The bug exploits the Java Web Start feature of Sun’s Java 6, update 10, released in April 2008.
“So far, it’s not in any of the exploit kits, as far as we can see, but it’s a given that it soon will be,” writes Orgmandy “Tick.. tick.. tick…”