April 15, 2010, 2:40PM
Sun About Face: Out-of-Cycle Java Update Patches Critical Flaw
15 Comments
In a sudden about-face, Sun has rushed out a Java update to fix a drive-by download vulnerability that exposed Windows users to in-the-wild malware attacks.
The patch comes less than a week after Sun told a Google researcher it did not consider the issue serious enough to warrant an out-of-cycle patch and less than a day after researchers spotted live exploits on a booby-trapped song lyrics Web site.
The release notes that accompanies the new Java 6 Update 20 makes no mention of the public flaw disclosure or subsequent attacks but I’ve been able to confirm that the patch does cover the vulnerability released by Google security researcher Tavis Ormandy.
Editor's Pick
After applying the fix on a Windows machine, Ormandy’s proof-of-concept demo did not work. Instead of opening the calculator application, I got an error message concerning the Java Virtual Machine Launcher:
The flaw, which was also discovered independently by Ruben Santamarta, occurs because the Java-Plugin Browser is running “javaws.exe” without validating command-line parameters.
Despite the absence of documentation, a researcher was about to figure out that Sun removed the code to run javaws.exe from the Java plugin.
Here is a link to download the Java 6 Update 20 fix.
The about-face by Sun is another sign that some big vendors still struggle to understand the importance of working closely with white hat researchers to understand the implications of certain vulnerabilities. In this case, Google’s Ormandy was forced to use the full-disclosure weapon to force the vendor into a proper response.
It’s incomprehensible that a software vendor like Sun, now under Oracle’s wings, could have misdiagnosed this vulnerability when Ormandy originally reported it. It was clear, from the inception, that this was a “critical” issue that was found by several different hackers. On Twitter, Ormandy said he had no information that the issue was already in the wild before he wielded the full-disclosure stick. However, he maintains “it was just too trivial for that not to be the case.”
To this date, Oracle Sun has not publicly commented or mentioned the public disclosure of an issue that’s being actively exploited.
Speaking of irresponsible, here’s what I saw when during the process of applying Java patch this morning. Yes, checked by default. Sigh.
Commenting on this Article is closed.
Today's Most Popular
Most Commented Stories
Newsletter Sign-up
Take Our Poll
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
Damn, mine was checked by default, too. But it was Yahoo Toolbar. Everyone united againg Big G?
That's why you download the latest Java from http://java.sun.com/ for a toolbar free Java.
:)
Where's the download link, jackass?
Here you go http://java.sun.com/javase/downloads/index.jsp
_r
Or, just go to your java control panel applet's update tab, and click "update now".
More irresponsible bloatware titles: http://www.404techsupport.com/2010/02/a-directory-on-bloatware/
Well I still use JDK 1.5 Update 22 due to some development constraints. So I used the demo link to see if this old version (which was the last of the 1.5 series) was vulnerable.
Sure enough, it attempted to launch, but AVG blocked it, reporting it as "Exploit JSE WEbStart (type 1067)" ... yay.
Ryan, I get that same error message using Java 6 u19. Maybe it was fixed before u20. The mailing list containing the advisory was vague about exactly what versions past u10 were vulnerable.
This exploit does not function on win-98 with JRE 5.x.
On my win-98 system, while running Firefox 2.0.0.20 and with JRE version 5 update 22, firefox displays a message at the top of the browser window, telling me that "Additional plugins are required to display all the media on this page". The calc application does not launch.
And someone tell me if Sun/Oracle will provide free updates for JRE 5.x (the last being 5.22) or will they enforce a policy that you have to buy them? I understand that 5.23 is available, but only if you buy "Java for business" or some such nonsense.
Linux/Firefox3.6/JRE6.0_19 not vulnerable.
"Additional plugins are required..."
Thanks for the tip on this exploit. You may be interested in my results in replicating your example.
I followed your instructions using IE8 and was able to launch the calculator, but that's not the interesting part.
I wanted a screen shot of the exploit in action (Java logo w/calc) and refreshed the page. This time, I received the alert box you indicated receiving after applying the fix labeled "unable to access Jarfile..." as illustrated.
Closing the window and reopening the page once again launched the calculator. An immediate refresh after closing Calc again brought up the warning. A short wait and was able to replicate the Calc launch with a page refresh.
Downloaded the update and ran the installation and then restarted IE8. Navigation to the demo page resulted in only a blank page, no Java logo and no popup warning.
You may want to double check your findings and, if they concur with mine, update your report to avoid someone unintentionally replicating the popup and believing themselves to be secure.
ok then what is safe ?
I've heard about a tool that will make the update process easier by automating the task. I found it on a site on how to update java. It's very important that we keep our drivers updated as it could be one possible cure to common hardware and software related issues.