Oracle Releases Emergency Patch for Java Deployment Toolkit Vulnerability
vulnerability in the Java Runtime Environment is being actively
exploited on the Internet. The vulnerability was publically
disclosed on Friday, April 9th after Oracle (which recently
purchased Sun Micro Systems, the maker of Java) said that they
would not make an emergency patch for the vulnerability.
ITPS learned of the vulnerability and the recommended work around, we
deployed a Group Policy Object to set the kill-bit for vulnerable the
Java RE Deployment Toolkit ActiveX control by Saturday evening at all
Care customer sites.
days later we learned that the vulnerability is being actively
exploited on an English-language song lyrics web site in Russia
with Rihanna, Usher, Lady Gaga, Miley Cyrus, and other being used as
the lure. The exploit code is really simple and reliable, so
other attacks are likely. Users had to take no action other than
visiting the web site to be exploited.On Thursday, April 15th, Oracle released an emergency patch for Java to fix this vulnerability.
Warning: Vulnerability is being
actively exploited on the Internet.
(A "warning" alert is for a situation that is currently occurring or
conditions are right for the situation to occur soon.)
Media attention: Yes.
All versions since Java SE 6 update 10 on system running Internet Explorer, Firefox, and possibly Chrome
How Are Systems Compromised?
released Java 6, update 10 in April 2008, they introduced a new feature
called Java Web Start in order to make it easier for developersto install their applications using a URL to a Java Networking
Launching Protocol (JNLP) file which executes with elevated Java privileges. Sun distributes a "Java Deployment Toolkit" ActiveX control and a NPAPI (Netscape compatible) plug-in to provide developers with a simpler method
of distributing applications. This toolkit is installed by
default with the DIRE and marked safe for scripting. Just what malicious code writers need, a simple and reliable method to automatically run code on a web site.
a visitor surfed to the lyric site, a malicious iFrame inside one of
the ads on the page automatically directed the computer to the server
hosting the exploits, without the visitor having to click anything.
This particular web site was hosting malicious code exploiting
the Java Web Start vulnerability and Adobe Reader vulnerabilities.
Do I Protect My Computer?
1. Prevent the affected ActiveX Control from being executed in Internet Explorer by setting the kill-bit for that
control's CLSID. The CLSID for the Java Deployment Toolkit ActiveX control is:
Setting the kill-bit for one control on one computer can be done with a little
work. (See More Information below for how.) Use
a gateway spyware blocker (such as Untangle) that can block malicious
ActiveX controls and add the vulnerable ActiveX control's CLSID in just
one place on your network. Use an Active Directory (AD) Group
Policy Object (GPO) to have all the computers on your network set the
kill-bit for the affected ActiveX control.
ActiveX controls in the Internet Zone prevents exploitation of
this vulnerability in Internet Explorer but will likely reduce the
usability of some web sites.
The ultimate solution to all these ActiveX
control vulnerabilities might be to take a "white list" approach and allow only
known good ActiveX controls that an administrator approves (via a GPO). (This
is the opposite of the current kill bit method where known bad ActiveX controls
are prevented from running.) Microsoft added a feature to do white listing of
ActiveX controls in the IE Cumulative Security Update in Microsoft security bulletin MS09-032. (This feature
is disabled by default.) Of course the problem with such an approach is keeping
up with the list of ActiveX controls that all your users will need to have
2. Prevent the affected plug-in from being executed in Mozilla Firefox by preventing access to npdeploytk.dll and disabling the Java Deployment Toolkit plug-in. Use Access Control Lists (ACLs) to prevent access to npdeploytk.dll. Ensure that ACLs apply to all instances of npdeploytk.dll within
Firefox's search path. In Mozilla Firefox, select Tools-> Add-ons, click the Plug-ins icon, then
select 'Java Deployment Toolkit', then 'Disable'.
3. Install the Java patch.
To install the patch immediately, use Java's manual update
feature. In Windows, this can be done by selecting Start > Control
Panel > Java > Update tab and clicking the Update Now button. Be
careful to not install the Yahoo tool bar if you don't want it.
The Java install will reset some preferences to their default,
overwriting any changes you have made to the settings. For
example, if you have Java configured to check for updates daily,
installing the patch will reset this preference to check for updates
If you are a consumer (home user) or SOHO (small office/home office)
user and do not have someone taking care of patch management on your
systems, set Java to update daily--don't wait 30 days to check for and
5. Do not browse untrusted websites or follow untrusted links.
Oracle Release Notes: http://java.sun.com/javase/6/webnotes/6u20.html
Secunia Advisory SA39260: http://secunia.com/advisories/39260
Secnia blog: http://secunia.com/blog/95
Java Deployment Toolkit Performs Insufficient Validation of Parameters, by Travis Ormandy: http://seclists.org/fulldisclosure/2010/Apr/119
independently by Ruben Santamarta:
How to stop an ActiveX control from running in Internet Explorer: http://support.microsoft.com/kb/240797
Disabling Mozilla Plug-ins: http://kb.mozillazine.org/Plugin_scanning
cnet news "Unpatched Java hole exploited at lyrics site": http://news.cnet.com/8301-27080_3-20002530-245.html
AVG Blog: http://thompson.blog.avg.com/2010/04/heads-up-0day-itw-rihanna-is-a-lure.html
The Register: http://www.theregister.co.uk/2010/04/15/emergency_java_patch/
SC Magazine: Lada Gaga, Rihanna lyrics site used to foist Java exploit
Based on the criticality, IT Professional Services performed an
emergency deployment of a Group Policy Object (GPO) to set the kill-bit
of the vulnerable ActiveX control to protect all systems
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional Services
can help. Call our
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.