Following Microsoft’s recent Patch Tuesday, Oracle, too, released 47 security fixes for its products. Oracle’s critical patch update for April can be found in Oracle Critical Patch Update Advisory—April 2010.
Oracle’s update is a collection of patches for multiple security vulnerabilities, which also includes patches for Sun products. Sun Microsystems, a wholly owned Oracle subsidiary.
However, a security vulnerability in the Java Deployment Toolkit (JDT) has recently been discovered by Tavis Ormandy. This security vulnerability can be exploited to launch applications on a Windows OS using a specially crafted website. Ormandy also says that Sun Microsystems has been informed about this vulnerability, however, it is not considered to be of high enough priority to break its quarterly patch cycle. Until a patch is released in the next update, Ormandy offers users temporary solutions found in his report.
Trend Micro researcher Rajiv Motwani says, “The vulnerability can be exploited through Internet Explorer (IE) as well as other browsers. It affects a lot of versions of Java.”
He continues, “Oracle Java Web Start provides Java developers a way that users can launch and install their applications using a URL to a Java Networking Launching Protocol (.JNLP) file. It is this URL that is not properly validated and hence an attacker could cause remote code execution with. All the victim needs to do is visit a Web page. In IE, it is exploited through ActiveX controls. An attacker can execute arbitrary code in the guise of the logged-in user,” says Motwani. The proof-of-concept (POC) code is publicly available in this report.
For workarounds, Motwani says, “If using IE, set kill-bit for the ActiveX control. For other browsers, set access control lists (ACL) for the vulnerable DLL.”
Trend Micro Deep Security™ and Trend Micro OfficeScan™ already protect business users against the Java vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule number 1004091.
Update as of April 16, 2010, 4:45 a.m. (GMT +8:00):
Java has released a security update that patches this vulnerability, which can be found on this Java Update Release Notes page for Java SE 6. Users are highly advised to immediately apply the said security fix to prevent attacks from these Java exploits.
Update as of April 16, 2010, 9:56 a.m. (GMT +8:00):
Please refer to this page for more information about the vulnerability fixes Java issued.