ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Sun Java flaw exposes Windows users to dangerous Web attacks

By | April 9, 2010, 9:18am PDT

Summary: The flaw occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.

Over on Threatpost, Dennis Fisher has a story about a serious Java vulnerability that leaves users running any of the current versions of Windows open to simple Web-based attacks that could lead to a complete compromise of the affected system.

The flaw was disclosed publicly this week by two separate researchers. One of the researchers, Tavis Ormandy of Google, said he decided to go public when Sun declined to issue a prompt fix.

Ormandy explains:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

follow Ryan Naraine on twitter

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.

“These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page,” Santamarta warned.

Google’s Ormandy said the the toolkit provides only minimal validation of the URL parameter, allowing a malicious hacker to to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited.

“The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor,” Ormandy explaned.

The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

Here is a harmless demonstration of the problem.

Ormandy suggests the following mitigation advice:

  • Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users.
  • Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Programming Languages, Java, Software Development, Software/Web Development, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
125
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Sun Java flaw exposes Windows users to dangerous Web attacks
efsane Updated - 9th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
Wake up people! Anyone who has a JRE installed is still living in the 90's
Johnny Vegas Updated - 9th Apr 2010
Get with it people. Uninstall those JRE's now if you haven't already. You won't miss them...
0 Votes
+ -
stop spreading M$ propaganda!
Linux Geek 9th Apr 2010
researchers have proved that java is more secure than windoze.
The easier fix is not to get rid of Java, but to get rid of windoze in favour of Linux!
0 Votes
+ -
Java can't even run with DEP,
jamesrayg 9th Apr 2010
compiling code in the browser is an epically bad
idea, because you have to allow
writeable/executable memory, if we didn't have
crappy alternative OSes that everybody just has to
be compatible with we would not have abominations
like java and .net. Solution, dump linux, mac os
x, and bytecode semi-malware.
  • Flagged
0 Votes
+ -
Wow...that was pretty stupid.
storm14k 9th Apr 2010
Well for one what doe other OS's have to do with
.Net. It doesn't natively run anywhere else but
Windows. Second people want managed code
solutions.

The real solution is to just dump
Windows...especially seeing how this apparently
only affects Windows users.
0 Votes
+ -
Except you're wrong on 2 counts
wolf_z 9th Apr 2010
"The real solution is to just dump
Windows...especially seeing how this apparently only affects Windows users."

According to this article in The Register:

http://www.theregister.co.uk/2010/04/09/critical_java_vulnerability/

"Fellow researcher Ruben Santamarta of Spain-based security firm Wintercore, said a related flaw potentially affects Linux users as well."

Point 2 is, it doesn't affect me. I tried the demo at both work and home (Vista Business/Vista Ultimate) both running IE8 and all I got was a blank white webpage. No pop-ups, no applications, no nothing.

So apparently the only people it does affect are the ones who installed Sun's version of Java... happy
  • Flagged
0 Votes
+ -
Wait, what? Microsoft are forcing their own weird version, like Apple, now?
AzuMao 9th Apr 2010
  • Flagged
0 Votes
+ -
Forcing? NO....
ShadowGIATL 9th Apr 2010
However, if you have WinXP and a compy of the developer redist package of Microsoft VM, it was a much more stable VM then what Sun put out. Before you go crying that this post is pro Microsoft however, it should be noted that this is not a defense of MS, but rather me just pointing out that Sun wasn't any better.

Sun however, IS forcing their version, as they have banned MS from releasing their own version, which ironically was updated more often through Win update. Go figure.
0 Votes
+ -
Do you even understand how memory permissions work?
AzuMao 9th Apr 2010
It can be made writable (but not executable) to write the compiled code into it, and then made executable (but not writable) to execute said code.

Just like how when you run any program it gets written into memory, but (usually) the write flag is removed from the code section before executing it.


Also, did you actually read the article? The problem exists in Windows, obviously switching to Windows isn't going to fix it.
0 Votes
+ -
Linux not getting a free ride
honeymonster 10th Apr 2010
It has already been established that the
problem exists on Linux as well.

The original submitter was uncertain about
this, but read this:
http://www.theregister.co.uk/2010/04/09/critica
l_java_vulnerability/

" A hidden command-line parameter supported
by Java can trigger the bug on Linux machines
as well, Santamarta told The Register. He said
he was in the process of testing whether the
flaw can be exploited to remotely execute
code."
0 Votes
+ -
I didn't say it didn't exist in anything else, I said it existed in Windows
AzuMao 10th Apr 2010
meaning that switching from OSX/Linux/etc to Windows won't help.
0 Votes
+ -
Let's just deal with the facts here ...
de-void-21165590650301806002836337787023 11th Apr 2010
... and be clear that this is a vuln that affects both Windows and *N*X users.

Switching from one OS to the other will not protect you.
0 Votes
+ -
You make that sound like a bad thing...
rjacksix 12th Apr 2010
Given the fact that ASLR / DEP were circumvented in less than 120 seconds at CanSec West, I fail to see the point.

I really appreciate your in-depth technical analysis your years of professional analysis of security holes are obvious.

With such, cogent, well defended, well-documented and acute dialog I have been totally dissuaded from my ill-considered opinions about security and will WHOLE-HEARTEDLY embrace DEP/ALSR as my ONLY salvation.

Thank you SOOOOOOOO MUCH.
0 Votes
+ -
RTFA; "current versions of Windows". Solution; uninstall Windows.
AzuMao Updated - 9th Apr 2010
0 Votes
+ -
Read this: Linux affected
honeymonster 10th Apr 2010
http://www.theregister.co.uk/2010/04/09/critical_j
ava_vulnerability/

"A hidden command-line parameter supported by Java
can trigger the bug on Linux machines as well,
Santamarta told The Register. He said he was in
the process of testing whether the flaw can be
exploited to remotely execute code."
0 Votes
+ -
Translation; not even an early PoC working, yet alone in-the-wild attacks.
AzuMao 14th Apr 2010
0 Votes
+ -
Better yet...
storm14k 9th Apr 2010
...just uninstall Windows and you can use JRE's as
much as you want. happy
0 Votes
+ -
Nope. That is FUD
honeymonster 10th Apr 2010
"A hidden command-line parameter supported by Java
can trigger the bug on Linux machines as well,
Santamarta told The Register. He said he was in
the process of testing whether the flaw can be
exploited to remotely execute code."

Read:
http://www.theregister.co.uk/2010/04/09/critical_j
ava_vulnerability/
0 Votes
+ -
But they have not succeded ( YET !) They may some day,
hkommedal 13th Apr 2010
but so far no luck.
I think you will find that it takes a lot more work to get this one to work in Linux.

I will not say never though.

In fact I am pretty sure someone will find a way with some added trickery one day.
0 Votes
+ -
get a clue
RobertFolkerts 9th Apr 2010
TIOBE language - Java is #2, behind C. The Microsoft proprietary
languages (combined) are well behind the JVM languages. Go home
fanboy.
0 Votes
+ -
oh I wish it were true
JustAITGuy 14th Apr 2010
Let me start off by saying I hate Java. I hope it dies a fast death in Oracle's cupboard. Unfortuantely I will be smelling the rotting beans for a long time to come.

As much as I hate Java I am stuck with the JRE like it or not. In my org we are plagued with badly written industry specific vertical apps that depend on the JRE crapware. Unfortunately I cant just pop down to the corner BigBox store and buy a replacement. Moving to a new vendor that (Hopefully) doesn't use a java based backend would cost us a few 100K to license and convert. With a 50% staff reduction in the last 18 months I dont see that a practical sell to the front office.
0 Votes
+ -
RE: Sun Java flaw exposes Windows users to dangerous Web attacks
bmandery 9th Apr 2010
How do you figure people won't miss it, if the JRE is required to run specific applications?
0 Votes
+ -
Demo not working. Oh, wait, it works
Earthling2 Updated - 9th Apr 2010
Tried this on Win7, IE8, a standard user account.

First time:

---------------------------
Java Virtual Machine Launcher
---------------------------
Unable to access jarfile \\lock.cmpxchg8b.com\calc.jar
---------------------------
OK
---------------------------

The second time a Calculator was launched. It also worked from Chrome. In both cases, the calculator runs with the medium integrity level, so it is not sandboxed. Obviously, if you run as an admin on XP or as an admin with UAC set to the default level in Windows 7, the attacker may have an easy way to play with your system.

So, when you install an application, such as Java runtime, the OS asks if you want to run the setup with full system privileges. If you agree, you trust the application. If it is poorly designed, all bets are off.

Now, the interesting part is that the exploit, as far as I understand it, does not directly execute the code in the plugin. It relies on a separate trusted process to do the dirty work. This separate process runs outside the normal browser sandbox, hense the medium integrity level even with the Chrome browser.

If you read TFA, Santamarta's advisory indicates that Linux machines also are vulnerable. It would be interesting to see a demo that bypasses Firefox AppArmor (again, because a trusted but evil process is launched outside the Firefox process sandbox).

OpenOffice requires Java, right? The security is as weak as the weakest link.

This type of attacks is nothing new. See this link:
http://www.ibm.com/developerworks/linux/library/l-sp3.html

The link to the demo page can be found here:
http://seclists.org/fulldisclosure/2010/Apr/119
0 Votes
+ -
didn't work for me...
optyk 9th Apr 2010
didn't work for me in either firefox 3.7x64 or in ie8x64 both of which are my main browsers. i haven't bothered to test it in opera as i only use it when i need to view a flash based site.
0 Votes
+ -
Me neither. Works on WinXP Mode vm, however.
mechBgon Updated - 9th Apr 2010
Win7, Standard User, UAC at default setting (for standard users, that means maxed), IE8 x32, Java 6u19 (installed just for this demo, finally a use for Java! happy ). I can't get the demo to work.

It works like clockwork on WinXP Mode, however. Finally, a use for WinXP! happy
0 Votes
+ -
Stopped working after a reboot
Earthling2 11th Apr 2010
I too downloaded the latest version of JRE for this experiment only. It didn't work, then worked then stopped working after a reboot.

But it did work, on two machines: one real and one VM.
0 Votes
+ -
RE: Sun Java flaw exposes Windows users to dangerous Web attacks
Loverock Davidson 9th Apr 2010
Was never a fan of java and this is just one more reason for me not to like it.
0 Votes
+ -
Was never a fan of windows and this is just one more reason not to like it.
AzuMao 9th Apr 2010
0 Votes
+ -
Except it has nothing to do with Windows, and Linux is affected too.
honeymonster 10th Apr 2010
.
  • Flagged
0 Votes
+ -
Well none of the POCs are running under Chrome or Firefox on Linux.
AzuMao 10th Apr 2010
0 Votes
+ -
Neither on my Win7 x64 IE8
honeymonster 10th Apr 2010
Nor on my Chrome (main browser). But that may
be because I haven't bothered installing Java
with Chrome wink

But the PoCs are not the end all proof. The
actual vulnerability may very well be
exploitable on platforms where the PoCs
currently do not work.

Certainly, the "backdoor" parameter is there on
Linux platforms as well. And obviously
exploitable through Firefox.
0 Votes
+ -
I meant with Java installed, obviously.
AzuMao 10th Apr 2010
0 Votes
+ -
They have not (YET) succeded with this in Linux.
hkommedal 13th Apr 2010
One day, perhaps, but not yet.

That may take some time.

I am not banking on it though.
0 Votes
+ -
except that Java is the father of .Net
RobertFolkerts 9th Apr 2010
C# is clearly a Java-like language. The .Net CLR is clearly similar to the
JVM. I would argue that C# is superior to Java as a language. But the JVM
is a bit better than the CLR - the JVM has been carefully tested by
theorem provers & by multiple implementations. Multiple
implementations cause designs to be validated by multiple teams.
0 Votes
+ -
Try again
honeymonster 10th Apr 2010
The JVM was developed with a close-minded Java-
only mindset. The result is a JVM which lends
itself poorly to other languages. Yes, there
are now many languages implemented on top of
the JVM, but they have had to work around these
inherent limitations.

.NET CLR was conceived as a multi-language
runtime from the start. It contained (and
still do) many features *not* accessible from
C#. I.e. the CLR is "bigger" than any single
language.

If you want examples of the JVM limitations
consider this:

JVM does not support unsigned integers, does
not support pointers, does not support fixes-
length buffers, does not support unmovable
objects. All of these are rather impeding when
you try to do binary file processing or system
level integration.

The JVM does not support generics. Generics is
a compiler-only feature of Java. The compiler
erases the type during compilation.
Consequently, Scala has had to implement their
own generics scheme, also using type erasure.
The .NET CLR supports generics natively and
optimized.

.NET CLR/DLR has now much better support for
dynamic languages. Rather than new languages
having pair-interoperability with Java, the CLR
allows interoperability in a hub-and-spoke
architecture. Which means that on the DLR, Ruby
objects can be consumed directly and understood
by JavaScript, Python etc. On the JVM you
cannot mix languages that way. Most languages
allows interop with Java using an
interop layer, but passing those "adapted"
objects on to another language will generally
result in failure.
0 Votes
+ -
Killer .NET limitation
Saurondor. 10th Apr 2010
Cross platform support. .NET at best has some C# support outside Windows.

JVM, while having some limitations as you mention, has a broader support of all the languages across multiple platforms.
0 Votes
+ -
Java has been so enormously successful ...
de-void-21165590650301806002836337787023 11th Apr 2010
... that the vast majority of the apps we all run on all our machines are all written in Java, right?

And I can take any Java app and simply copy it to a different machine running a different OS and that Java app runs flawlessly, correct?

What's that? No you say? Oh ... so Java isn't the panacea that its proponents claim it to be?
0 Votes
+ -
Yes I say
Saurondor. 11th Apr 2010
Actually I'd answer yes. I develop in Java for both web based and desktop based applications and apps do run quite flawlessly.

I can deploy my web applications on Linux, Windows or OS X. I can take part of that codebase and use it in desktop applications for different OS types.
0 Votes
+ -
Actually, yes
RobertFolkerts 12th Apr 2010
Java is the king of the back office. Java is
much larger than .Net in this environment.

Java is also very strong in the web server
market. Not only for Java web applications,
but also for RoR and increasingly, PHP. Look
at the Google AppEngine for an example of
robust growth of the JVM for web applications.

And yes, I routinely deploy server applications
on whatever platform is needed. Once the Java
world stopped using the Microsoft JVM, the
cross platform promise has proven to be true.
0 Votes
+ -
Java is used extensively...
rjacksix 12th Apr 2010
In corporate environments, specifically because it is hardware and OS agnostic (doesn't care).

I'd venture to safely say that the total amount of enterprise Java out there is rivaled only by the amount of COBOL still being used.
0 Votes
+ -
Support for all the languages?
ShadowGIATL 11th Apr 2010
I thought it supported Java only. Hmmm... so you're saying I can program JVM with VB or C#?

In reality, the only reason .NET isn't crossplatform is because Microsoft has made no atempt to make the runtimes available. I seriously doubt it's a priority, considering the Linux community hates all things MS.

Limitation? Only if your one of the few that doesn't have your head up your butt, and might actually want to play with .NET on Linux.

Granted MS tends to push itself around, and all, but lets face it, until the Linux community stops hating MS for making money, Linux and MS cross compatibility will continue to suffer greatly.
0 Votes
+ -
Not those languages
Saurondor. 11th Apr 2010
I meant those like JRuby, Scala, Jython etc. Which run on JVMs. Not VB, C# and other .NET languages. Most of which don't run on outside Windows.

Now why would I want to play with .NET on Linux when .NET on Linux is but a subset of .NET on Windows? Meanwhile Java is the same set of featurs regardless of platform. I feel like I would be deliberately limiting myself by using .NET on Linux. Now if .NET where as well supported as Java is. Then that would be another story altogether. But it isn't.
0 Votes
+ -
You've GOT to be kidding me.
AzuMao 11th Apr 2010
In reality, the only reason .NET isn't crossplatform is because Microsoft has
made no atempt to make the runtimes available. I seriously doubt it's a priority,
considering the Linux community hates all things MS.

Um, hello, heard of Mono? Moonlight? WINE? The Linux community very much wants
Windows-only programs to work on Linux. To say that Microsoft "just hasn't tried
hard to help make cross-platform support" is an understatement bordering on bald-
faced lie.

your head up your butt

Pot, meet kettle.

until the Linux community stops hating MS for making money, Linux and MS cross
compatibility will continue to suffer greatly.

Again, you've got to be kidding me. MS aren't hated for making money,
they're hated for going way out of their way to actively prevent cross platform
progress. They are known for using anti-competitive practices not just borderline,
but entirely illegal, jacking code from the FOSS community, and then saying Linux
"is a cancer".. that kind of stuff is why they are hated, not because they make
money. Red Hat, Novell, and Canonical make money, but the Linux community don't
hate them.
0 Votes
+ -
I just noticed they do have it though mono...
ShadowGIATL 12th Apr 2010
but not all features are availible.

I also have noticed that MS has indeed contributed to helping crossplatform.

And you still have your head up your butt if you think a lot of the Linux cummunity doen't hate MS for being profitable, even if they don't admit it. (after all... we believe everything we here now don't we...)

That said, I agree that MS has its tendancies to lock up their technologies, and have even said so previously. I just don't go out of my way to denounce all things MS, because I they do indeed contribute to the tech industry as a whole, and without them, it would just be someone else owning most the market... like... Apple... ehh.
0 Votes
+ -
@ShadowGIATL why would someone hate someone for something their idol(s) do?
AzuMao 12th Apr 2010
Again, the problem isn't them making money.

It's them going out of their way to hurt competitors rather than competing by making their own products better.

You say not to believe everything I here (hear?).. okay then, I won't believe you. Because nothing you've said makes sense, and none of it is backed up by anything.
0 Votes
+ -
Much closer to right...
rjacksix 12th Apr 2010
Actually, JVM stands for Java Virtual Machine and AFAIK it only runs Java and that poorly.

While .Net itself isn't cross platform, you can now write C# code and compile and run it on most Linux boxes because of the Mono project.

Regards
0 Votes
+ -
Yes in indeed.
ShadowGIATL 12th Apr 2010
And that was the core of the argument. I realized afterwards that mono makes it "cross-platform" for Linux, however it should be noted that not all features are available. But yes, the core C# language can be compiled on Linux using mono.

My biggest point though I was making was that JVM is not the end all to programming problems, and in fact, it has been known to be a problem in itself.

Any realistic programmer not biased by their favorite whatever will tell you that Java runs slow and tends to be buggy compared to most everything... including .NET. Sorry, but it's just true.
0 Votes
+ -
rjacksix, following your logic DirectX is crossplatform.
AzuMao 12th Apr 2010
0 Votes
+ -
If I were to follow your anaolgy...
rjacksix 12th Apr 2010
COBOL is the father of them all.

(Not)

Languages, by their very nature have inherent structural similarities. I'm SURE that the developers of .Net would disagree with you in your analysis for a myriad of reasons, some of which include that the fact that the inheritance models are totally different and one is a compiled language while the other use byte-code.

NM
0 Votes
+ -
-Gute Nachricht Amerikaner!: Ubuntu Linux mit AppArmor sandboxes Java
Entschuldigung Sie bitte Updated - 9th Apr 2010
Change is coming: Ubuntu Linux 10.04 LTS April 29, 2010

 
0 Votes
+ -
RE: Sun Java flaw exposes Windows users to dangerous Web attacks
efsane Updated - 9th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix