Home   About Us    Services and Products   Support   Contact Us

Support Overview

Help Desk

Online Service Request

Emergency IT Support

Security Alerts

Computer Usage Tips

Security Alerts

Oracle Releases Emergency Patch for Java Deployment Toolkit Vulnerability
4/15/2010

A vulnerability in the Java Runtime Environment is being actively exploited on the Internet.  The vulnerability was publically disclosed on Friday, April 9th after Oracle (which recently purchased Sun Micro Systems, the maker of Java) said that they would not make an emergency patch for the vulnerability.

When ITPS learned of the vulnerability and the recommended work around, we deployed a Group Policy Object to set the kill-bit for vulnerable the Java RE Deployment Toolkit ActiveX control by Saturday evening at all our Managed Care customer sites.

Five days later we learned that the vulnerability is being actively exploited on an English-language song lyrics web site in Russia with Rihanna, Usher, Lady Gaga, Miley Cyrus, and other being used as the lure.  The exploit code is really simple and reliable, so other attacks are likely.  Users had to take no action other than visiting the web site to be exploited.

On Thursday, April 15th, Oracle released an emergency patch for Java to fix this vulnerability.

Threat Level

Warning:  Vulnerability is being actively exploited on the Internet.

(A "warning" alert is for a situation that is currently occurring or conditions are right for the situation to occur soon.)

Severity:  High.  

Media attention: Yes.

Affected Software

All versions since Java SE 6 update 10  on system running Internet Explorer, Firefox, and possibly Chrome

How Are Systems Compromised?

When Sun released Java 6, update 10 in April 2008, they introduced a new feature called Java Web Start in order to make it easier for developersto install their applications using a URL to a Java Networking Launching Protocol (JNLP) file which executes with elevated Java privileges. Sun distributes a "Java Deployment Toolkit" ActiveX control and a NPAPI (Netscape compatible) plug-in to provide developers with a simpler method of distributing applications.  This toolkit is installed by default with the DIRE and marked safe for scripting.  Just what malicious code writers need, a simple and reliable method to automatically run code on a web site.

When a visitor surfed to the lyric site, a malicious iFrame inside one of the ads on the page automatically directed the computer to the server hosting the exploits, without the visitor having to click anything.  This particular web site was hosting malicious code exploiting the Java Web Start vulnerability and Adobe Reader vulnerabilities.

How Do I Protect My Computer?

1. Prevent the affected ActiveX Control from being executed in Internet Explorer by setting the kill-bit for that control's CLSID.  The CLSID for the Java Deployment Toolkit ActiveX control is:

{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}

Setting the kill-bit for one control on one computer can be done with a little work.  (See More Information below for how.)  Use a gateway spyware blocker (such as Untangle) that can block malicious ActiveX controls and add the vulnerable ActiveX control's CLSID in just one place on your network.  Use an Active Directory (AD) Group Policy Object (GPO) to have all the computers on your network set the kill-bit for the affected ActiveX control.

Disabling ActiveX controls in the Internet Zone prevents exploitation of this vulnerability in Internet Explorer but will likely reduce the usability of some web sites.

The ultimate solution to all these ActiveX control vulnerabilities might be to take a "white list" approach and allow only known good ActiveX controls that an administrator approves (via a GPO).  (This is the opposite of the current kill bit method where known bad ActiveX controls are prevented from running.)  Microsoft added a feature to do white listing of ActiveX controls in the IE Cumulative Security Update in Microsoft security bulletin MS09-032.  (This feature is disabled by default.)  Of course the problem with such an approach is keeping up with the list of ActiveX controls that all your users will need to have approved.

2. Prevent the affected plug-in from being executed in Mozilla Firefox by preventing access to npdeploytk.dll and disabling the Java Deployment Toolkit plug-in.  Use Access Control Lists (ACLs) to prevent access to npdeploytk.dll.  Ensure that ACLs apply to all instances of npdeploytk.dll within Firefox's search path.  In Mozilla Firefox, select Tools-> Add-ons, click the Plug-ins icon, then select 'Java Deployment Toolkit', then 'Disable'.

3. Install the Java patch.  To install the patch immediately, use Java's manual update feature. In Windows, this can be done by selecting Start > Control Panel > Java > Update tab and clicking the Update Now button. Be careful to not install the Yahoo tool bar if you don't want it.  The Java install will reset some preferences to their default, overwriting any changes you have made to the settings.  For example, if you have Java configured to check for updates daily, installing the patch will reset this preference to check for updates monthly.

4. If you are a consumer (home user) or SOHO (small office/home office) user and do not have someone taking care of patch management on your systems, set Java to update daily--don't wait 30 days to check for and install updates.

5. Do not browse untrusted websites or follow untrusted links.

More Information

Security Advisories
Oracle Release Notes: http://java.sun.com/javase/6/webnotes/6u20.html
US-CERT: http://www.kb.cert.org/vuls/id/886582
Secunia Advisory SA39260: http://secunia.com/advisories/39260
Secnia blog: http://secunia.com/blog/95

Disclosure
Java Deployment Toolkit Performs Insufficient Validation of Parameters, by Travis Ormandy: http://seclists.org/fulldisclosure/2010/Apr/119
Discovered independently by Ruben Santamarta: 
http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1

How-to articles
How to stop an ActiveX control from running in Internet Explorer: http://support.microsoft.com/kb/240797
Disabling Mozilla Plug-ins: http://kb.mozillazine.org/Plugin_scanning

News
cnet news "Unpatched Java hole exploited at lyrics site": http://news.cnet.com/8301-27080_3-20002530-245.html
AVG Blog: http://thompson.blog.avg.com/2010/04/heads-up-0day-itw-rihanna-is-a-lure.html
The Register: http://www.theregister.co.uk/2010/04/15/emergency_java_patch/
SC Magazine: Lada Gaga, Rihanna lyrics site used to foist Java exploit

Managed Services

Based on the criticality, IT Professional Services performed an emergency deployment of a Group Policy Object (GPO) to set the kill-bit of the vulnerable ActiveX control to protect all systems under Managed Care.

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our managed care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.

Privacy Policy

© 2009-2013 IT Professional Services All rights are reserved.  (805) 650-6030