By Alin Rad Pop
The JRE (Java Runtime Environment) update released by Oracle at the end of March covered 20 vulnerabilities, some of which were marked "Highly critical" by Secunia. You may have the feeling of your system being more secure after applying that update, but few users probably expected that another "Highly critical" vulnerability would become public soon after.
Today, Secunia issued SA39260. This advisory covers a vulnerability in a number of browser plugins installed by default with JRE, commonly termed the Java Deployment Toolkit. The vulnerability was independently reported by Tavis Ormandy and Ruben Santamarta; both providing good descriptions of the problem. Basically, a call to CreateProcessA() is issued by the Java Deployment Toolkit without sanitising command line arguments. This further allows injecting arbitrary JVM arguments and execute code in a privileged context, leading to a complete system compromise when visiting a web site.
This vulnerability is particularly interesting for an attacker as in-depth memory protection mechanisms on modern Windows operating systems such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) provide no mitigation. Consequently, we expect to soon see attempts to exploit this vulnerability in the wild.
We hope that Oracle decides to provide an update soon. Meanwhile, Java users are recommended to delete or restrict access to all deployment plugins and set the kill-bit for affected ActiveX controls.
Alin Rad Pop,
Senior Security Specialist