Song Lyrics Site Serves Up Java Attack Code

By  |  Thursday, April 15, 2010 at 8:06 am

Popular lyrics site Songlyrics.com was discovered to be delivering attack code which could open up visitors to remote code execution attacks, several news outlets reported Thursday. The exploit was discovered by researcher Tavis Ormandy last week and reported. Songlyrics.com has taken action to remove the offending code from its website.

Ormandy and partner Ruben Santamarta said it was easy to exploit the issue, and AVG researcher Roger Thompson has called upon Oracle to patch the issue as soon as possible. However, according to the Register, the company has neither answered their requests for comment, nor confirmed the exploit exists at all.

 
8 Comments


Read more: ,

6 Comments For This Post

  1. Esteban Says:
    April 15th, 2010 at 8:52 am

    I’ve never found a song lyric site that’s not all spammy and full of shady-looking ads.

  2. Ed Oswald Says:
    April 15th, 2010 at 9:01 am

    Point taken and agreed 🙂

  3. David Hamilton Says:
    April 15th, 2010 at 9:19 am

    I believe that an update has been released – Java 1.6.0_20 – http://java.sun.com/javase/downloads/index.jsp & http://java.sun.com/javase/6/webnotes/6u20.html

    The release notes aren’t absolutely specific (i.e. no specific vulnerability reference and no date of release – @Sun: these things would be handy), but they talk about restricting codebase and validation of the Webstart protocol, which sounds very much like they should address the problems.

    Gentlemen, start your (update) engines!

  4. David Hamilton Says:
    April 15th, 2010 at 9:22 am

    Hello? Technologizer have started moderating comments? That’s new…

    You guys want to comment on the reason for that?

  5. David Hamilton Says:
    April 15th, 2010 at 9:28 am

    One news site states that although update 20 stops the code from loading, they found that it didn’t prevent the attack in all circumstances, but they don’t provide any more information – http://www.h-online.com/security/news/item/Java-vulnerability-when-lyric-sites-attack-978283.html

  6. Ed Oswald Says:
    April 15th, 2010 at 9:47 am

    We have been moderating comments for quite a bit now. It only takes one comment to get approved however for all following ones. Kinda like we check to see if you’re spam first. If you had a comment moderated since then, that’s news to me. Sometimes it will catch one for links.. but its a little flaky so.. dont fret…

2 Trackbacks For This Post

  1. Contact Us Says:
    April 15th, 2010 at 7:25 pm

    […] Song Lyrics Site Serves Up Java Attack Code […]

  2. Anxiety Disorders An Ultimate Cure For Sufferers Says:
    April 21st, 2010 at 8:59 pm

    […] Song Lyrics Site Serves Up Java Attack Code […]