Sun Java flaw exposes Windows users to dangerous Web attacks

Over on Threatpost, Dennis Fisher has a story about a serious Java vulnerability that leaves users running any of the current versions of Windows open to simple Web-based attacks that could lead to a complete compromise of the affected system.

The flaw was disclosed publicly this week by two separate researchers. One of the researchers, Tavis Ormandy of Google, said he decided to go public when Sun declined to issue a prompt fix.

Ormandy explains:

Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle.

For various reasons, I explained that I did did not agree, and intended to publish advice to temporarily disable the affected control until a solution is available.

The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running "javaws.exe" without validating command-line parameters.

"These parameters can be controlled by attackers via specially crafted embed HTML tags within a Web page," Santamarta warned.

Google's Ormandy said the the toolkit provides only minimal validation of the URL parameter, allowing a malicious hacker to to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited.

"The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor," Ormandy explaned.

The issue affects all versions since Java SE 6 update 10 for Microsoft Windows. Disabling the java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.

Here is a harmless demonstration of the problem.

Ormandy suggests the following mitigation advice:

• Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the deployment toolkit is not in widespread usage and is unlikely to impact end users.
• Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.