From the article: "The ultimate irony of this attack is that the owner of mysql.com is Oracle Corp., which also owns Java, a software suite that I have often advised readers to avoid due to its numerous security and update problems."
Seriously, I'm not a fan of Java, but still, a software suite?
Anyway, it's quite hard taking that article seriously after that.
Get off your high horse. An installation of the JRE on Windows will install the Java VM, plugins for several browsers, a Java update scheduler, the Java Web start framework, a control panel and a bunch of other related utilities. In other words, a software suite.
Did you update all your Java installations – client and server – to at least Java 6 update 26 in June 2011?
There were a dozen "unauthorized Operating System takeover including arbitrary code execution" bugs fixed at that time, some exploitable via untrusted applets, others via tricking server installs to submit certain data to standard APIs:
I've had the Java plugin disabled in firefox for a long time now. On the very rare occasions I need it, you can re-enable it without restarting the browser (unlike extensions.)
Lately, yes. Over the last couple of years (Read: after Microsoft mostly cleaned up its act), Java has been been one of the primary sources of client exploits, along with Adobe products.
I don't know that there's anything special wrong with it other than that anything deployed widely enough makes a good target.
Of course, the JVM is the JVM wherever it runs, but when one is under the impression of a blanket statement like "Java is secure", they're likely to be thinking of server-side processes which rarely get compromised for reasons you've stated - despite having the same "level of security" wrt vulnerabilities.
I think the point was that most of the visitors to mysql.com are developers and system administrators, and compromises to their machines can probably be leveraged into compromises of other sites. I doubt we've heard the last of this.
Doing this operation require quite an effort. And you do not really know how long it will take till this root access will be fixed (you can not really trust random vendor on hackers forum, this post could be searchable through google by mysql admins, some internal audit program could detect intrusion.)
So easiest to monetize - insert malware to put trojan on visitors machines. Next - hack in to their bank accounts, or use these as part of bot net or whatever. You basically got highly visited place to put classic malware.
The point is... To do such things as replacing mysql source flawlessly is hard, do not underestimate efforts needed to do that.
The attackers were focussing on client workstations to infect with malware, that's where the big money is. Potentially they could have owned some mysql installs by replacing installer binaries but it's less interesting for banking fraud etc.
I think that they just have access to 1 or more web servers. The hostname in the screenshot is http3.web.mysql.com. An organization like Oracle would presumably have multiple levels of security. It's likely the web servers would run in a DMZ, i.e. the lowest level of security.
Pretty sure he meant "rooted" in the sense of "inserted exploits into the codebase". In some sense that's much worse that mere root access to the host. Such a database could, for example, phone home with all updates to tables named "passwords", etc...
And even in the more banal sense you interpreted, sure: you might not run mysql.com-sourced daemons as root. But you almost certainly run the mysql command line utility as root from time to time.
The Armorize screencast embedded in the article is really wonderful. It's concise, full of information, and clear enough to duplicate the steps on your own. A nice 5-minute detective story.
This whole mysql saga was an excellent reminder to turn Java off again. I'd enabled it a few weeks ago for a site that I simply had to use and then promptly forgot to disable it afterwards.
If you use Firefox, the NoScript add-on has the option to block Java applets from any sites that you haven't specifically marked as being trusted. It can also block unwanted JavaScript, Flash, Silverlight and other plugins. (http://noscript.net)
Well, it may be that the frightening reality is such that supply is so abundant that a single site with 12m dailies doesn't demand the prices one might expect.
its hard to say, but generally the public postings like that are a cover up to cover tracks.
you might imagine that no one ever puts such offer on public (or private with everyone having access to it) kind of boards.
its a very usual thing to do, at least, back in the day <strikeout>we</strikeout> they were doing that every time we weren't 200% sure of our tracks or for highly advertised targets (yeah you risk less hacking a whole ISP than you do hacking a nooby site such as mysql.com)
It wasn't sold for $3K, as far as I can tell. The screenshot linked to reads "Don't bother calling if you don't have $3K". Now that might mean asking price or it might mean an order of magnitude, but it certainly seems like the domain was positioned as on auction.
You also have to figure it's very temporary root access, until a real root user repairs it from an uncompromised offline backup. It's not like they're selling the entire MySQL site in perpetuity for $3k.
Flash is likely the single most installed software in the world. Consider how many Windows, Mac, and Linux desktops and Android devices have Flash. Thus, Flash is an extremely popular target for bad guys.
Because plugins run under their own process. Not subject to the sandboxing you'd find in Chrome/Safari for instance. Plugins are given pretty high trust.
I always browse with all plugins and java disabled. If a site uses Flash, I typically will just move on unless it's something absolutely essential to what I'm doing. Surprising how many sites that use Flash don't have any usable fallback for clients that don't support it or have it disabled.
I don't think I've come across a Java applet in the last 5 years. I see NO need to allow Java in the browser unless it's for a trusted, internal-use application.
Good move. I suppose the most vulnerable are those driving desks being forced to use IE7, Standard Operating Environment that runs these plugins or some internal business application requires them.
I decoded the scripts on some recent WordPress blogs that were hacked. It would try to exploit Java first, then Flash if that didn't work, and then a couple other things if I recall correctly.
I went to mysql.com this morning and Symantec popped up with a "malware detected" message. Do we know which browsers are vulnerable, and how to tell whether I'm infected?
Well, currently the malware itself is not detected. OK, some anti-virus solutions detect the piece of malware as suspicious or as a packed executable (which is suspicious of course). But those detections are just based on the inner working of the executable or how it behaves. It's not being detected by anti-virus definitions, that will be a matter of time before anti-virus providers will add definitions for this piece of malware.
In reality - how many people actually downloaded it from the website, rather than running "{yum/apt-get} install mysql-server"? The documentation is a different issue - probably much more popular than downloads themselves.
Seriously, I'm not a fan of Java, but still, a software suite?
Anyway, it's quite hard taking that article seriously after that.