The Sun Java Deployment Toolkit plugin and ActiveX control perform insufficient argument validation, allowing an attacker to perform several attacks, including the execution of an arbitrary JAR file.
The Sun Java Deployment Toolkit contains an NPAPI (Netscape compatible) plugin and an ActiveX control which are installed in the end user's browser(s). The toolkit contains a launch() method which can be used to pass a Java Networking Launching Protocol (JNLP) URL to the registered handler for JNPL files. On Windows systems, the default handler is the Java Web Start utility, javaws.exe.
As detailed here, because the launch() method performs insufficient argument validation of the URL, arbitrary arguments can be passed to javaws.exe. This includes the '-J' option, which can allow an attacker to execute a remote JAR file. The code in the JAR file will execute with elevated Java privileges, which is equivalent to the execution of arbitrary code.
By convincing a user to visit a specially crafted HTML document, a remote attacker may be able to execute arbitrary code on a vulnerable system.
Apply an update
Please note that the Java Development Toolkit can be installed in multiple browsers, therefore workarounds need to be applied to all browsers with the Java Development Toolkit.
This report is based on research by Tavis Ormandy.
This document was written by David Warren.
|Date First Published:||2010-04-12|
|Date Last Updated:||2010-04-19 21:38 UTC|