Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Sun Java Deployment Toolkit Argument Injection Vulnerability

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Sun Java Deployment Toolkit Argument Injection Vulnerability

Secunia Sun Java Deployment Toolkit Argument Injection Vulnerability
Secunia Official 13th Apr, 2010 12:19
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.

Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.

Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 13th Apr, 2010 12:19
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 13th Apr, 2010 16:51
Can Secunia advise if disabling the Plug-in in Firefox acts as as solution/workaround .

Thank you .

EDIT: I have just come across this Secunia blog entry which seems to expand a little (last paragraph) on the SA solution/workaround :-

http://secunia.com/blog/95

Perhaps that is all that is known for now .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-2
pc.tech1 RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 13th Apr, 2010 17:57
Score: 5
Posts: 17
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 13th Apr, 2010 17:57
FYI...

- http://www.mail-archive.com/full-disclosure@lists.grok.org.uk /msg40571.html
Tavis Ormandy - Fri, 09 Apr 2010 (See "Mitigation") "... Sun has been informed about this vulnerability, however, they informed me they do not consider this vulnerability to be of high enough priority to break their quarterly patch cycle..."

.

--
This machine has no brain.
Use your own.
.
Was this reply relevant?
+1
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 15th Apr, 2010 11:11
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

The link in pc.tech1's post is not working for me .

Here is another version of Tavis Ormandy's disclosure , where you will see it says that disabling the plug-in is not a solution .:-

http://seclists.org/fulldisclosure/2010/Apr/119

The actual degree of risk is not clear ; but then again perhaps you do not actually need Java for your particular computer needs .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
HedgeHog RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 15th Apr, 2010 14:04
Score: 0
Posts: 1
User Since: 26th May 2008
System Score: N/A
Location: DE
Last edited on 15th Apr, 2010 14:04
What about Version 6 Update 20? Does it fix the Problem?
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 15th Apr, 2010 14:40
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 15th Apr, 2010 14:42
The Secunia Advisory 39260 now shows Vendor Patch as the solution in the top part , but does not specify 6U20 lower down - as yet .

6U20 certainly addresses the JNLP files mentioned in the disclosure.

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Alan_Baxter RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 15th Apr, 2010 18:18
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
Where do you see that Anthony? http://secunia.com/advisories/39260/ still says:
Solution
Do not browse untrusted websites or follow untrusted links. Set the kill-bit for affected ActiveX controls.

I can't see where it mentions 6U20 at all.
Was this reply relevant?
+0
-0
SidcupSilverSurfer Java update downloaded via Secunia today 15 SPRIL
Member 15th Apr, 2010 18:34
Score: 0
Posts: 3
User Since: 11th Mar 2009
System Score: N/A
Location: N/A
Have downloaded the update for Java suggested by Secunia today but still get TWO notifications that Java needs attention.

Have installed the download twice but Secunia is still throwing Java up (twice).

There always seem problems when Java needs attention - wish I could do without it entirely but unfortunately I cannot.

Is there a fix please.

Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 15th Apr, 2010 19:30
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 15th Apr, 2010 19:34
Hello Alan_Baxter ,

Well my eyes might be old but when I posted earlier , "Solution Status" in the upper part of the SA definitely said "vendor patch" (or words to that effect) . Now it says "unpatched" . The lower part "Solution" was as you see/saw it and there was never any mention of U 20 (as I said).

I have downloaded the 6 U 20 and the Java Deployment Toolkit shows both U 19 and U 20 version Plug-ins for Firefox and Chrome (Dev channel version) and points to their respective .dll files. So the old version was not seemingly un-installed .

The relevant files are in the C:\Program Files\..\bin\new plug_in\.. folder . I have emailed Java support to ask them to clarify .

PSI only records the two installations it displays for my XP SP3 OS as U 20 in the "patched" tab and shows me good to surf in IE or Firefox (Chrome Dev version is not tracked) in the "secure browsing" tab .

That's as much as I can "see" :)

Anthony




--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
pc.tech1 RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 16th Apr, 2010 03:54
Score: 5
Posts: 17
User Since: 13th Feb 2010
System Score: N/A
Location: US
Last edited on 16th Apr, 2010 03:54
FYI...

Java JRE 6 Update 20 released
- http://java.sun.com/javase/downloads/index.jsp
April 15, 2010

Changes in 1.6.0_20
- http://java.sun.com/javase/6/webnotes/6u20.html
"This release contains fixes for security vulnerabilities..."
3 Bug Fixes...

.

--
This machine has no brain.
Use your own.
.
Was this reply relevant?
+0
-0
Alan_Baxter RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 16th Apr, 2010 05:39
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
Thank you, Anthony. I uninstalled U19 before installing U20 on Windows XP SP3, so there is no trace of U19 in my Firefox plugins, just the two from U20. A PSI scan finds only the two usual exes:
Program Files\Java\jre6\bin\java.exe
WINDOWS\system32\java.exe
both for version U20 and "patched" (of course, since it's the most recent version).

Both of those files are also listed as "Insecure, no solution SA39260" in the Secure Browsing pane, under IE8, Firefox, and SeaMonkey.
Was this reply relevant?
+0
-0
Anthony Wells RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Expert Contributor 16th Apr, 2010 12:19
Score: 2434
Posts: 3,318
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 16th Apr, 2010 12:23
Hello Alan_Baxter ,

As the SA now shows 6 U 20 as the solution and not holding my breath waiting for Java support , I have manually deleted the left behind (?) "npdeploytk.dll version 6.0.190.4" file - in the ..\bin\new_plugin\.. folder - to err on the side of safety .

All clear again !!! in "seure browsing" .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Alan_Baxter RE: Sun Java Deployment Toolkit Argument Injection Vulnerability
Member 16th Apr, 2010 16:51
Score: 0
Posts: 61
User Since: 1st Mar 2009
System Score: N/A
Location: US
on 16th Apr, 2010 12:19, Anthony Wells wrote:
As the SA now shows 6 U 20 as the solution ...

I see it too. :)
I agree that deleting any left-over U19 files is prudent.
Was this reply relevant?
+0
-0


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability