Sun Java flaw exposes Windows users to dangerous Web attacks

Sun Java flaw exposes Windows users to dangerous Web attacks

Summary: The flaw occurs because the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters.

SHARE:

Over on Threatpost, Dennis Fisher has a story about a serious Java vulnerability that leaves users running any of the current versions of Windows open to simple Web-based attacks that could lead to a complete compromise of the affected system.

The flaw was disclosed publicly this week by two separate researchers. One of the researchers, Tavis Ormandy of Google, said he decided to go public when Sun declined to issue a prompt fix.

Ormandy explains:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

follow Ryan Naraine on twitter

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters.

"These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page," Santamarta warned.

Google's Ormandy said the the toolkit provides only minimal validation of the URL parameter, allowing a malicious hacker to to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited.

"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor," Ormandy explaned.

The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

Here is a harmless demonstration of the problem.

Ormandy suggests the following mitigation advice:

  • Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users.
  • Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.

Topics: Open Source, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

125 comments
Log in or register to join the discussion
  • Wake up people! Anyone who has a JRE installed is still living in the 90's

    Get with it people. Uninstall those JRE's now if you haven't already. You won't miss them...
    Johnny Vegas
    • stop spreading M$ propaganda!

      researchers have proved that java is more secure than windoze.
      The easier fix is not to get rid of Java, but to get rid of windoze in favour of Linux!
      Linux Geek
      • Java can't even run with DEP,

        compiling code in the browser is an epically bad
        idea, because you have to allow
        writeable/executable memory, if we didn't have
        crappy alternative OSes that everybody just has to
        be compatible with we would not have abominations
        like java and .net. Solution, dump linux, mac os
        x, and bytecode semi-malware.
        jamesrayg
        • Wow...that was pretty stupid.

          Well for one what doe other OS's have to do with
          .Net. It doesn't natively run anywhere else but
          Windows. Second people want managed code
          solutions.

          The real solution is to just dump
          Windows...especially seeing how this apparently
          only affects Windows users.
          storm14k
          • Except you're wrong on 2 counts

            "The real solution is to just dump
            Windows...especially seeing how this apparently only affects Windows users."

            According to this article in The Register:

            http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/

            "Fellow researcher Ruben Santamarta of Spain-based security firm Wintercore, said a related flaw potentially affects Linux users as well."

            Point 2 is, it doesn't affect me. I tried the demo at both work and home (Vista Business/Vista Ultimate) both running IE8 and all I got was a blank white webpage. No pop-ups, no applications, no nothing.

            So apparently the only people it does affect are the ones who installed Sun's version of Java... :)
            wolf_z
          • Wait, what? Microsoft are forcing their own weird version, like Apple, now?

            [b] [/b]
            AzuMao
          • Forcing? NO....

            However, if you have WinXP and a compy of the developer redist package of Microsoft VM, it was a much more stable VM then what Sun put out. Before you go crying that this post is pro Microsoft however, it should be noted that this is not a defense of MS, but rather me just pointing out that Sun wasn't any better.

            Sun however, IS forcing their version, as they have banned MS from releasing their own version, which ironically was updated more often through Win update. Go figure.
            ShadowGIATL
        • Do you even understand how memory permissions work?

          It can be made writable (but not executable) to write the compiled code into it, and then made executable (but not writable) to execute said code.

          Just like how when you run any program it gets written into memory, but (usually) the write flag is removed from the code section before executing it.


          Also, did you actually read the article? The problem exists in Windows, obviously switching to Windows isn't going to fix it.
          AzuMao
          • Linux not getting a free ride

            It has already been established that the
            problem exists on Linux as well.

            The original submitter was uncertain about
            this, but read this:
            http://www.theregister.co.uk/2010/04/09/critica
            l_java_vulnerability/

            "<i>A hidden command-line parameter supported
            by Java can trigger the bug on Linux machines
            as well, Santamarta told The Register. He said
            he was in the process of testing whether the
            flaw can be exploited to remotely execute
            code.</i>"
            honeymonster
          • I didn't say it didn't exist in anything else, I said it existed in Windows

            meaning that switching from OSX/Linux/etc to Windows won't help.
            AzuMao
          • Let's just deal with the facts here ...

            ... and be clear that this is a vuln that affects both Windows and *N*X users.

            Switching from one OS to the other will not protect you.
            de-void-21165590650301806002836337787023
        • You make that sound like a bad thing...

          Given the fact that ASLR / DEP were circumvented in less than 120 seconds at CanSec West, I fail to see the point.

          I really appreciate your in-depth technical analysis your years of professional analysis of security holes are obvious.

          With such, cogent, well defended, well-documented and acute dialog I have been totally dissuaded from my ill-considered opinions about security and will WHOLE-HEARTEDLY embrace DEP/ALSR as my ONLY salvation.

          Thank you SOOOOOOOO MUCH.
          rjacksix
    • RTFA; "current versions of Windows". Solution; uninstall Windows.

      [b] [/b]
      AzuMao
      • Read this: Linux affected

        http://www.theregister.co.uk/2010/04/09/critical_j
        ava_vulnerability/

        "A hidden command-line parameter supported by Java
        can trigger the bug on Linux machines as well,
        Santamarta told The Register. He said he was in
        the process of testing whether the flaw can be
        exploited to remotely execute code."
        honeymonster
        • Translation; not even an early PoC working, yet alone in-the-wild attacks.

          [b] [/b]
          AzuMao
    • Better yet...

      ...just uninstall Windows and you can use JRE's as
      much as you want. :-)
      storm14k
      • Nope. That is FUD

        "A hidden command-line parameter supported by Java
        can trigger the bug on Linux machines as well,
        Santamarta told The Register. He said he was in
        the process of testing whether the flaw can be
        exploited to remotely execute code."

        Read:
        http://www.theregister.co.uk/2010/04/09/critical_j
        ava_vulnerability/
        honeymonster
        • But they have not succeded ( YET !) They may some day,

          but so far no luck.
          I think you will find that it takes a lot more work to get [b]this one [/b] to work in Linux.

          I will [b]not say never [/b] though.

          In fact I am pretty sure someone [b] will [/b] find a way with some added trickery one day.
          hkommedal
    • get a clue

      TIOBE language - Java is #2, behind C. The Microsoft proprietary
      languages (combined) are well behind the JVM languages. Go home
      fanboy.
      RobertFolkerts
    • oh I wish it were true

      Let me start off by saying I hate Java. I hope it dies a fast death in Oracle's cupboard. Unfortuantely I will be smelling the rotting beans for a long time to come.

      As much as I hate Java I am stuck with the JRE like it or not. In my org we are plagued with badly written industry specific vertical apps that depend on the JRE crapware. Unfortunately I cant just pop down to the corner BigBox store and buy a replacement. Moving to a new vendor that (Hopefully) doesn't use a java based backend would cost us a few 100K to license and convert. With a 50% staff reduction in the last 18 months I dont see that a practical sell to the front office.
      JustAITGuy