In association with heise online

15 April 2010, 11:24

Java vulnerability - when lyric sites attack - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Java Logo According to anti-virus software vendor AVG, web sites are now actively exploiting the Java vulnerability Web Start disclosed at the end of last week, to infect Windows PCs. These include the popular platform, from which users can download lyrics for the latest hits. The web site appears to have been hacked by criminals who have embedded a program to download malicious code from a Russian web server.

The vulnerability is the result of insufficient filtering of URLs, allowing them to be used to pass arguments to Java Web Start, which in turn can be used to launch local applications. Web Start can be exploited to download and run malicious code from the web. The vulnerability is not a problem in Windows alone – Unix is also affected although Java for Mac OS X is apparently not affected.

According to analysis by Wepawet (information on Wepawet can be found in The H article "Tracking down malware"), the attackers are not just exploiting the Java vulnerability, but also multiple vulnerabilities in Adobe Reader. Adobe yesterday fixed 15 vulnerabilities in Reader with update 9.3.2.

A solution for Java is also at hand – Oracle has released Update 20 for Java 6, which reportedly fixes the problem. Certainly the exploit published by Tavis Ormandy no longer works in either Internet Explorer or Firefox after installing the new version. Oracle has reacted with surprising speed. As recently as Friday, Ormandy reported that Sun did not consider the vulnerability to be sufficiently critical to release an emergency patch outside of its three-month patch cycle. Although Oracle did carry out its quarterly critical patch update yesterday, Java was not mentioned.

In its release notes for the Java 6 Update 20, Oracle does not say exactly what has been patched. At first sight it would appear that the vulnerable components are no longer loaded in the browser, i.e. that the actual vulnerability has genuinely been fixed.

However, it seems the Java update does not prevent the exploit from working in all cases. The cause is currently unclear. As an alternative, Internet Explorer users can set a kill bit and disable the ActiveX control responsible by creating a registry key. To prevent the system from being vulnerable, users can place the following text into a file called file-kill.reg and double click the file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}]
"Compatibility Flags"=dword:00000400

Windows will then automatically import the key (admin rights are required to perform this action). In Firefox, it's sufficient to disable all of the Java Deployment Toolkit modules under Tools / Add-ons / Plug-ins.

Update: Oracle has published a security advisory about the Java update which indicates that the vulnerability in the Java Deployment Toolkit has been addressed. In addition, another critical vulnerability in the new Java Plug-in was also closed.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit