It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge. The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.
This is the second time this year MySQL.com has been hit. After that hit last March the hackers posted a list of usernames and passwords. This data may have been used to break into the site again. Several news outlets have reported that a hacker has been offering root access to MySQL.com for $3000 on some Russian underground forums.
While Oracle said it had fixed the MySQL problem within hours, its other Java problem is still brewing.
In order to protect users from an attack that decrypts sensitive web traffic, Firefox developers are looking at an update that stops the browser from working with Oracle’s Java. The move would stop Firefox from working with a number of very popular websites. The team is only holding off because of how much such a ban would hurt user experience.
The developers of other browsers have already taken steps to thwart the attack. Last week Google updated Chrome’s developer and beta versions to split messages into fragments and reduce a hacker’s ability to get control of plaintext about to be encrypted. This has created problems with several websites. Microsoft is also said to be working on a fix.
As the Firefox developers noted, though, the best solution is for Oracle to do something. As Firefox Director of Engineering Johnathan Nightingale wrote: “Whatever decision we make here, I really hope Oracle gets an update of their own out. It’s the only way to keep their users affirmatively safe.”