Oracle’s Horrible, No-good, Very-bad Java Security Week

First, someone uses Java to turn MySQL.com into an online Typhoid Mary and then Mozilla says it’s thinking about dumping Java to stop BEAST attacks. Somewhere Larry Ellison is going, “Is it Friday yet?” 

On Monday,  security firm Armorize discovered that the website for downloading the popular open-source relational database was spreading drive-by downloads. Anyone visiting  MySQL.com was immediately injected with a JavaScript executable. This generated an iFrame that redirected to a website hosting the Black Hole crimeware exploit kit. According to the Armorize blog

It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge. The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

This is the second time this year MySQL.com has been hit. After that hit last March the hackers posted a list of usernames and passwords. This data may have been used to break into the site again. Several news outlets have reported that a hacker has been offering root access to MySQL.com for $3000 on some Russian underground forums.

While Oracle said it had fixed the MySQL problem within hours, its other Java problem is still brewing.

In order to protect users from an attack that decrypts sensitive web traffic, Firefox developers are looking at an update that stops the browser from working with Oracle’s Java.  The move would stop Firefox from working with a number of very popular websites. The team is only holding off because of how much such a ban would hurt user experience.

The Browser Exploit Against SSL/TLS has earned its BEAST acronym. By injecting JavaScript into an SSL  session, it can recover secret information that’s transmitted to a predictable data-stream location. As The Register reported,  it took researchers Thai Duong and Juliano Rizzo were able to use BEAST to get an encrypted authentication cookie used to access a PayPal account in less than two minutes.

The developers of other browsers have already taken steps to thwart the attack. Last week Google updated Chrome’s developer and beta versions to split messages into fragments and reduce a hacker’s ability to get control of plaintext about to be encrypted. This has created problems with several websites.  Microsoft is also said to be working on a fix.

As the Firefox developers noted, though,  the best solution is for Oracle to do something. As Firefox Director of Engineering Johnathan Nightingale wrote:  “Whatever decision we make here, I really hope Oracle gets an update of their own out. It’s the only way to keep their users affirmatively safe.”