Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Following Microsoft’s recent Patch Tuesday, Oracle, too, released 47 security fixes for its products. Oracle’s critical patch update for April can be found in Oracle Critical Patch Update Advisory—April 2010.

    Oracle’s update is a collection of patches for multiple security vulnerabilities, which also includes patches for Sun products. Sun Microsystems, a wholly owned Oracle subsidiary.

    However, a security vulnerability in the Java Deployment Toolkit (JDT) has recently been discovered by Tavis Ormandy. This security vulnerability can be exploited to launch applications on a Windows OS using a specially crafted website. Ormandy also says that Sun Microsystems has been informed about this vulnerability, however, it is not considered to be of high enough priority to break its quarterly patch cycle. Until a patch is released in the next update, Ormandy offers users temporary solutions found in his report.

    Trend Micro researcher Rajiv Motwani says, “The vulnerability can be exploited through Internet Explorer (IE) as well as other browsers. It affects a lot of versions of Java.”

    He continues, “Oracle Java Web Start provides Java developers a way that users can launch and install their applications using a URL to a Java Networking Launching Protocol (.JNLP) file. It is this URL that is not properly validated and hence an attacker could cause remote code execution with. All the victim needs to do is visit a Web page. In IE, it is exploited through ActiveX controls. An attacker can execute arbitrary code in the guise of the logged-in user,” says Motwani. The proof-of-concept (POC) code is publicly available in this report.

    For workarounds, Motwani says, “If using IE, set kill-bit for the ActiveX control. For other browsers, set access control lists (ACL) for the vulnerable DLL.”

    Trend Micro Deep Security™ and Trend Micro OfficeScan™ already protect business users against the Java vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule number 1004091.

    Update as of April 16, 2010, 4:45 a.m. (GMT +8:00):

    Java has released a security update that patches this vulnerability, which can be found on this Java Update Release Notes page for Java SE 6. Users are highly advised to immediately apply the said security fix to prevent attacks from these Java exploits.

    Update as of April 16, 2010, 9:56 a.m. (GMT +8:00):

    News of an exploit already taking advantage of this vulnerability have been spotted in the wild. The attackers used a Java applet hosted on a website that downloads files on target Windows systems. A malicious JavaScript has also been found to run this applet. Trend Micro detects the applet as JAVA_WEBSTART.A and the script as JS_WEBSTART.A.

    Please refer to this page for more information about the vulnerability fixes Java issued.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice