The Inquirer-Home
Software

Java Webkit has a security bug

All your parameters are insufficiently validated
By Edward Berridge
Mon Apr 12 2010, 11:37

THE JAVA WEBKIT appears to have a bug that leaves code wide open to attack.

Tavis Ormandy revealed the flaw at Full Disclosure because he thinks that it is in everyone's interest other than Sun's.

The fault is in Java Web Start, which allows Java developers a way to let users launch and install their applications using a URL to a Java networking website.

Ever since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control called "Java Deployment Toolkit" to provide developers with a simpler method of distributing their applications to end users. This toolkit is installed by default with the JRE and marked safe for scripting.

The launch method provided by the toolkit object accepts a URL string, which it passes to the registered handler for JNLP files, which in turn by default is the javaws utility.

However the toolkit provides only minimal validation of the URL parameter and that means a hacker can pass arbitrary parameters to the javaws utility. This provides enough functionality via command line arguments to allow the error to be exploited.

Apparently it is such an easy hack that Ormandy felt that it was best that the world plus dog found out about it.

He said that all versions of Java since Java SE 6 update 10 for Microsoft Windows are believed to be affected by this vulnerability. Disabling the java plugin is not sufficient to prevent the problem.

He admits that exploiting the problem is "not terribly exciting". However he has provided a link to a video, which we guess will lack any car chases. µ

 

Share this:

< Previous article| Next article >
Comments
This is fixed in Java (1.)6.0.20

Sun/Oracle released an update that seems to fix the issue.

http://www.java.com/en/download/manual.jsp

posted by : Francois Grieu, 15 April 2010 Complain about this comment
This one is VERY serious

This one is a HUGE security issue for Windows users with Java (1.)6.0.10 or later installed: a script kiddie can take full control of the machine without any user action besides browsing a malicious web page, independent on browser, OS version, without any adverse sign on either exploitable or non-exploitable machines, with hardly any risk of detection by malware scanners. In summary, the perfect zero-day exploit (for targets with Java). I bet the house it will be actively exploited. I have a (second-hand) report that it was the case on April 13.

A temporary workaround appears to be renaming "javaws.exe" into "disabled_javaws.exe" in
C:\WINDOWS\system32
C:\Program Files\Java\jre6\bin

More details at:
http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1
http://seclists.org/fulldisclosure/2010/Apr/119

posted by : Francois Grieu, 15 April 2010 Complain about this comment
aboutus
Advertisement
Subscribe to INQ newsletters
Click here to sign up Existing user
INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage
Advertisement
INQ Jobs
INQ Poll

Authorities in several countries raided Megaupload recently, shut down all of its services, seized hundreds of servers and arrested several of its executives on criminal charges.

Do you think the move was justified?

View other polls
Follow us:
Business & Technology websites:
Business research resources:
Products:
Investment Market IT websites:
Find out what you are worth:
Search for a job:
Recruitment Agency A-Z Directory
Accreditations: