Sun Java flaw exposes Windows users to dangerous Web attacks

Summary:The flaw occurs because the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters.

Over on Threatpost, Dennis Fisher has a story about a serious Java vulnerability that leaves users running any of the current versions of Windows open to simple Web-based attacks that could lead to a complete compromise of the affected system.

The flaw was disclosed publicly this week by two separate researchers. One of the researchers, Tavis Ormandy of Google, said he decided to go public when Sun declined to issue a prompt fix.

Ormandy explains:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

follow Ryan Naraine on twitter

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters.

"These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page," Santamarta warned.

Google's Ormandy said the the toolkit provides only minimal validation of the URL parameter, allowing a malicious hacker to to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited.

"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor," Ormandy explaned.

The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

Here is a harmless demonstration of the problem.

Ormandy suggests the following mitigation advice:

  • Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users.
  • Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.

Topics: Open Source, Software Development

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.