MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2010
Bookmark and Share

MA-225.042010: MyCERT Alert - Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution Vulnerabilities

Date of publication: 2010-04-14
Date last updated: 2010-04-16

1.0 Introduction

A critical vulnerability has been identified in Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins. The Java toolkit contains a launch() method which can be used to pass a Java Networking Launching Protocol (JNLP) URL to the registered handler for JNPL files, allowing an attacker to perform several attacks, including the execution of an arbitrary JAR file.

MyCERT is aware that a '0-day' exploit is available on the Internet at the time of publication of this advisory.

2.0 Impact

An attacker who has successfully exploited this vulnerability such as by tricking users to visit a website with malicious java applets, could execute an arbitrary JAR file on a vulnerable system. 

3.0 Affected Products

  • Sun JRE (Windows Production Release) 1.6 _13
  • Sun JRE (Windows Production Release) 1.6 _12
  • Sun JRE (Windows Production Release) 1.6 _10
  • Sun JRE (Windows Production Release) 1.6.0_19
  • Sun JRE (Windows Production Release) 1.6.0_18
  • Sun JRE (Windows Production Release) 1.6.0_15
  • Sun JRE (Windows Production Release) 1.6.0_14
  • Sun JRE (Windows Production Release) 1.6.0_11
  • Sun JRE (Linux Production Release) 1.6 _13
  • Sun JRE (Linux Production Release) 1.6 _12
  • Sun JRE (Linux Production Release) 1.6 _10
  • Sun JRE (Linux Production Release) 1.6.0_19
  • Sun JRE (Linux Production Release) 1.6.0_18
  • Sun JRE (Linux Production Release) 1.6.0_15
  • Sun JRE (Linux Production Release) 1.6.0_14
  • Sun JRE (Linux Production Release) 1.6.0_11

4.0 Recommendation

As of the writing of this advisory, vendor of these applications has not released any security patches for this vulnerability. However, users can use the following steps to disable Java support for your web browser (for Windows and Linux machine) as a temporary workaround if they need to use Java Development Toolkit:

  • Internet Explorer 6
    • Click on the Tools menu, and then click Internet Options.
    • The Internet Options menu will popup. Click on the Security tab.
    • Click the "Custom Level" button. The "Security Settings" window will be displayed. Scroll down for the heading "Microsoft VM". Set the option "Java Permissions" to "Disable Java".
    • Click OK to save the settings to and close Security Settings.
    • Click OK to close Internet Options.
  • Internet Explorer 7 & 8
    • Click on the Tools menu, and then click Internet Options.
    • Click the Programs tab, and then click Manage Add-ons.
      Highlight Java Deployment Toolkit.
    • Click Disable¬† (located under "Settings" in version 7).
    • Click OK twice
  • Mozilla Firefox
    • Click on the Tools menu, and choose Add-ons.
    • Select the Plugins panel.
    • Select Java Deployment Toolkit.
    • Click Disable.

Oracle has released a security update for this issue on April 15, 2010. Users are highly encouraged to download the most recent release of Java SE to address these vulnerabilities.

Users who have already disabled the Java Deployment Toolkit plugin as mentioned in our workaround steps above need to enable it back.

Generally, MyCERT advises the users of this product to be updated with the latest security announcements by the vendor. Users who receive suspicious applets or URL can forward them to MyCERT for further analysis. MyCERT can be reached through the following channels:

E-mail :
mycert@mycert.org.my
Phone : +603 89926969  or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web:
http://www.mycert.org.my

5.0 References