Newly discovered flaw affects all recent Java versions in Windows

Just when you thought it was safe to go back into the water along comes yet another problem

by Michael Smith (Veshengro)

Two researchers released information on a vulnerability in Sun's Java Runtime Environment that could give attackers a new point of attack to perform drive-by-downloads and compromise targeted clients on all current versions of Windows operating systems and several popular browsers. The vulnerability has been rated 'extremely critical' by the experts of security software, G Data. The company expects large attacks, targeting computers with Windows operating systems.

With Java being installed on many computers, this flaw will undoubtedly catch the eye of cyber criminals, who will be quick to find a way to exploit this vulnerability. As this leak can be exploited in most popular browsers, and is not slowed down by the security features of Windows Vista and Windows 7, this could bring serious damage to a large number of computers.

Protect yourself against this

Disabling Java-script does not protect against exploits of this vulnerability. Because it is not yet clear when this leak will be patched by Sun, users need to manually change their settings. For the two most popular browsers there are details below of how to rectify this problem:
- For Microsoft Internet Explorer, it is necessary to set a killbit for the ActiveX class ID CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. The manual on how to do this can be found through the following link: http://support.microsoft.com/kb/240797.

- For Mozilla Firefox, you need to go to the 'Tools' menu and click on 'Add-Ons'. Under the header 'Plugins', you will find the Java Deployment Toolkit, that can be disabled by clicking 'Deactivate'. N.B. Recent updates to the latest versions of Firefox have disabled this Java Deployment Toolkit automatically now.
Background

Security researcher Tavis Ormandy released the information about this vulnerability on seclist.org. The vulnerability originates in the browser plug-in Java Deployment Toolkit, which is installed automatically alongside Java Runtime Environment since version 6 update 10 into browsers like Microsoft Internet Explorer, Mozilla Firefox or Google Chrome. The method launch in the toolkit enables an attacker to execute Java's Web Start Launcher with arbitrary parameters. Ormandy provided a proof-of-concept web page that starts the calculator in Microsoft Windows products.

Only a few hours later, researcher Rubén Santamarta released information on how to load an arbitrary remote DLL. According to Santamarta he was able to bypass security measures DEP and ASLR given that the DLL is directly loaded into the process memory of Web Start Launcher.

While this exploit, as indicated, can also be used in Google Chrome we have not, as yet, found a way to disable, if it is attached, the Java Deployment Toolkit in Chrome. It might be therefore advisable for Chrome users to drive Firefox instead of Chrome for a while, until the problem is overcome.

© 2010