There is a serious vulnerability in Java that leaves users running any of the current versions of Windows open to simple Web-based attacks that could lead to a complete compromise of the affected system. Two separate researchers released information on the vulnerability on Friday, saying that it has been present in Java for years.
The problem lies in the Java Web Start framework, a technology that Sun Microsystems developed to enable the simplified deployment of Java applications. In essence, the JavaWS technology fails to validate parameters passed to it from the command line, and attackers can control those parameters using specific HTML tags on a Web page, researcher Ruben Santamarta said in an advisory posted Friday morning.
Tavis Ormandy posted an advisory about the same bug to the Full Disclosure mailing list on Friday as well. Ormandy said in his advisory that disabling the Java plugin is not enough to prevent exploitation, because the vulnerable component is installed separately.
In short, if you have a recent version of Java running on a Windows machine, you’re affected by this flaw.
“Java.exe and javaw.exe support an undocumented-hidden command-line
parameter “-XXaltjvm” and curiosly also “-J-XXaltjvm” (see -J switch in
javaws.exe). This instructs Java to load an alternative JavaVM library
(jvm.dll or libjvm.so) from the desired path. Game over. We can set
-XXaltjvm=IPevil , in this way javaw.exe will load our evil jvm.dll.
Bye bye ASLR, DEP…,” Santamarta said in his advisory.
Because the JavaWS technology is included in the Java Runtime Environment, which is used by all of the major browsers, the vulnerability affects all of these applications, including Firefox, Internet Explorer and Chrome, on all versions of Windows from 2000 through Windows 7, Santamarta said. Browsers running on Apple’s Mac OS X are not vulnerable.
In his advisory, Ormandy said that he notified Sun about the vulnerability but that the vendor didn’t believe it was serious enough to warrant an emergency patch.
“The toolkit provides only minimal validation of the URL parameter, allowing us to pass arbitrary parameters to the javaws utility, which provides enough functionality via command line arguments to allow this error to be exploited. The simplicity with which this error can be discovered has convinced me that releasing this document is in the best interest of everyone except the vendor,” Ormandy said.
The workaround for this problem is to disable JavaWS and Javaws.exe, Santamarta said in his advisory. Ormandy has set up a proof-of-concept URL, included in his advisory, that demonstrates the exploit.
Julien Tinnes has more information about this class of Java vulnerability.