Secunia SmallBusiness
Overview
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Secunia Advisory SA39260

Sun Java Deployment Toolkit Argument Injection Vulnerability
Secunia Advisory SA39260
Secunia VIM 4.0 - Free Trial
Release Date 2010-04-12
Last Update 2010-07-05
   
Popularity 20,730 views
Comments 12 comments

Criticality level Highly criticalHighly critical
Impact System access
Where From remote
Authentication level This information is available to Secunia VIM customers
   
Report reliability This information is available to Secunia VIM customers
Solution Status Vendor Patch
   
Systems affected This information is available to Secunia VIM customers
Approve distribution This information is available to Secunia VIM customers
Remediation status Secunia CSI, Secunia PSI
Automated scanning Secunia CSI, Secunia PSI
   
Software:
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.6.x / 6.x
Secunia CVSS Score This information is available to Secunia VIM Customers
CVE Reference(s) CVE-2010-0886 CVSS score available to Secunia VIM customers
CVE-2010-0887 CVSS score available to Secunia VIM customers
CVE-2010-1423 CVSS score available to Secunia VIM customers
  

Description

A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.

Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.


Solution
Update to JRE or JDK version 6 Update 20.
Further details available to Secunia VIM customers

Provided and/or discovered by
Independently discovered by Tavis Ormandy and Ruben Santamarta.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Tavis Ormandy:
http://archives.neohapsis.com/archives/fulldisclosure/2010-04/0122.html

Ruben Santamarta:
http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1

Oracle:
http://java.sun.com/javase/6/webnotes/6u20.html
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

Other references
Further details available to Secunia VIM customers

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available to Secunia VIM customers


Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Sun Java Deployment Toolkit Argument Injection Vulnerability
 
User Message
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 13th Apr, 2010 12:19
Score: 2324
Posts: 3,203
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Apr, 2010 16:51		 Can Secunia advise if disabling the Plug-in in Firefox acts as as solution/workaround .

Thank you .

EDIT: I have just come across this Secunia blog entry which seems to expand a little (last paragraph) on the SA solution/workaround :-

http://secunia.com/blog/95

Perhaps that is all that is known for now .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-2
pc.tech1 RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 13th Apr, 2010 17:57
Score: 5
Posts: 17
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 13th Apr, 2010 17:57		 FYI...

- http://www.mail-archive.com/full-disclosure@lists.grok.org.uk /msg40571.html
Tavis Ormandy - Fri, 09 Apr 2010 (See "Mitigation") "... Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle..."

.

--
This machine has no brain.
Use your own.
.
Was this reply relevant?
+1
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 15th Apr, 2010 11:11
Score: 2324
Posts: 3,203
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
The link in pc.tech1's post is not working for me .

Here is another version of Tavis Ormandy's disclosure , where you will see it says that disabling the plug-in is not a solution .:-

http://seclists.org/fulldisclosure/2010/Apr/119

The actual degree of risk is not clear ; but then again perhaps you do not actually need Java for your particular computer needs .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
HedgeHog RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 15th Apr, 2010 14:04
Score: 0
Posts: 1
User Since: 26th May 2008
System Score: N/A
Location: DE
Last edited on 15th Apr, 2010 14:04		 What about Version 6 Update 20? Does it fix the Problem?
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 15th Apr, 2010 14:40
Score: 2324
Posts: 3,203
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 15th Apr, 2010 14:42		 The Secunia Advisory 39260 now shows Vendor Patch as the solution in the top part , but does not specify 6U20 lower down - as yet .

6U20 certainly addresses the JNLP files mentioned in the disclosure.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Alan_Baxter RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 15th Apr, 2010 18:18
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
 Where do you see that Anthony? http://secunia.com/advisories/39260/ still says:
Solution
Do not browse untrusted websites or follow untrusted links. Set the kill-bit for affected ActiveX controls.

I can't see where it mentions 6U20 at all.
Was this reply relevant?
+0
-0
SidcupSilverSurfer Java update downloaded via Secunia today 15 SPRIL
Member 15th Apr, 2010 18:34
Score: 0
Posts: 3
User Since: 11th Mar 2009
System Score: N/A
Location: N/A
 Have downloaded the update for Java suggested by Secunia today but still get TWO notifications that Java needs attention.

Have installed the download twice but Secunia is still throwing Java up (twice).

There always seem problems when Java needs attention - wish I could do without it entirely but unfortunately I cannot.

Is there a fix please.
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 15th Apr, 2010 19:30
Score: 2324
Posts: 3,203
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 15th Apr, 2010 19:34		 Hello Alan_Baxter ,

Well my eyes might be old but when I posted earlier , "Solution Status" in the upper part of the SA definitely said "vendor patch" (or words to that effect) . Now it says "unpatched" . The lower part "Solution" was as you see/saw it and there was never any mention of U 20 (as I said).

I have downloaded the 6 U 20 and the Java Deployment Toolkit shows both U 19 and U 20 version Plug-ins for Firefox and Chrome (Dev channel version) and points to their respective .dll files. So the old version was not seemingly un-installed .

The relevant files are in the C:\Program Files\..\bin\new plug_in\.. folder . I have emailed Java support to ask them to clarify .

PSI only records the two installations it displays for my XP SP3 OS as U 20 in the "patched" tab and shows me good to surf in IE or Firefox (Chrome Dev version is not tracked) in the "secure browsing" tab .

That's as much as I can "see" :)

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
pc.tech1 RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 16th Apr, 2010 03:54
Score: 5
Posts: 17
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 16th Apr, 2010 03:54		 FYI...

Java JRE 6 Update 20 released
- http://java.sun.com/javase/downloads/index.jsp
April 15, 2010

Changes in 1.6.0_20
- http://java.sun.com/javase/6/webnotes/6u20.html
"This release contains fixes for security vulnerabilities..."
3 Bug Fixes...

.

--
This machine has no brain.
Use your own.
.
Was this reply relevant?
+0
-0
Alan_Baxter RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 16th Apr, 2010 05:39
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
 Thank you, Anthony. I uninstalled U19 before installing U20 on Windows XP SP3, so there is no trace of U19 in my Firefox plugins, just the two from U20. A PSI scan finds only the two usual exes:
Program Files\Java\jre6\bin\java.exe
WINDOWS\system32\java.exe
both for version U20 and "patched" (of course, since it's the most recent version).

Both of those files are also listed as "Insecure, no solution SA39260" in the Secure Browsing pane, under IE8, Firefox, and SeaMonkey.
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 16th Apr, 2010 12:19
Score: 2324
Posts: 3,203
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 16th Apr, 2010 12:23		 Hello Alan_Baxter ,

As the SA now shows 6 U 20 as the solution and not holding my breath waiting for Java support , I have manually deleted the left behind (?) "npdeploytk.dll version 6.0.190.4" file - in the ..\bin\new_plugin\.. folder - to err on the side of safety .

All clear again !!! in "seure browsing" .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Alan_Baxter RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 16th Apr, 2010 16:51
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
(unknown source)
As the SA now shows 6 U 20 as the solution ...

I see it too. :)
I agree that deleting any left-over U19 files is prudent.
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom
 
© 2002-2013 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability