MAIN MEMBERS CALENDAR AEA NEWS CAREER EDUCATION CENTER CONTACT US  

PUBLIC EDUCATION ISSUES ACTION IN TRENTON FIND YOUR LOCAL AUTHORITES LINKS QUESTIONS?

   

 

Cyber Notices & Alerts - Updated 6/30/10

 

 

US Lacks Staff to support Networks - posted 6/30/10

 

 

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY (posted 6/24/10)

 

CSCIC ADVISORY NUMBER:
2010-049

DATE(S) ISSUED:
6/23/2010

 

SUBJECT:
Multiple Vulnerabilities in Mozilla Products Could Allow Remote Code Execution

 

OVERVIEW:
Multiple vulnerabilities have been discovered in the Mozilla Firefox, Mozilla Thunderbird and Mozilla SeaMonkey applications which could allow remote code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Thunderbird is an email client. Mozilla SeaMonkey is a cross platform Internet suite of tools ranging from a web browser to an email client.

 

These vulnerabilities may be exploited if a user visits, or is redirected to, a web page or opens a malicious file specifically crafted to take advantage of these vulnerabilities. Successful exploitation of these vulnerabilities could result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

 

SYSTEMS AFFECTED:

 

  • Mozilla Firefox 3.5.9 and earlier

  • Mozilla Firefox 3.6.3 and earlier

  • Mozilla SeaMonkey 2.0.4 and earlier

  • Mozilla Thunderbird 3.0.4 and earlier

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
Eight vulnerabilities have been discovered in Mozilla Firefox, Mozilla Thunderbird and Mozilla SeaMonkey. Details of these vulnerabilities are as follows:

 

Multiple memory corruption vulnerabilities (MFSA2010-26)
Multiple memory corruption vulnerabilities affecting the browser and JavaScript engine can allow remote attackers to crash the browser or execute arbitrary code in the context of the application.  Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

 

A use-after-free error can allow for the execution of arbitrary code (MFSA2010-27)
A use-after-free error affects the 'nsCycleCollector::MarkRoots()' function, which can allow attackers to execute arbitrary code.  Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

 

Multiple plugin instances may share references resulting in arbitrary code execution (MFSA2010-28)
Multiple plugin instances may share references, which may result in the execution of arbitrary code.  Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

 

A heap-based buffer-overflow may result in the execution of arbitrary code (MFSA2010-29)
A heap-based buffer-overflow issue affects the 'nsGenericDOMDataNode::SetTextInternal()' function.  The issue can be triggered when overly long strings are used to set the text value for certain DOM nodes.  Attackers can exploit this issue to run arbitrary code.  Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

 

An integer-overflow issue may result in the execution of arbitrary code (MFSA2010-30)
An integer-overflow issue affects XSLT node sorting. Attackers can exploit this issue to run arbitrary code.  Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

 

focus() behavior can be used to inject or steal keystrokes (MFSA2010-31)

A vulnerability issue with the focus() behavior can be used by an attacker to inject or steal keystrokes.  This issue could result in an attacker changing a user’s cursor focus while they are typing and potentially allow the attacker to gain sensitive information such as passwords.

 

A security-bypass issue may allow for cross site scripting (MFSA2010-32)
A security-bypass issue affects attachments with 'Content-Disposition' HTTP headers.  The header is ignored when 'Content-Type: multipart' headers are also present.  Attackers can leverage this issue to create cross-site scripting attacks on certain web pages that may allow users to upload arbitrary files.

 

User tracking across sites using Math.random() (MFSA2010-33)

A vulnerability issue in Math.random() can be used to identify and track users across different web sites.  This could aid attackers in certain phishing attack scenarios.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade to Mozilla Firefox version 3.6.4 or 3.5.10, Thunderbird 3.0.5, or  SeaMonkey 2.0.5 as needed immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted web sites or follow links provided by unknown or un-trusted sources.

  • Remind users not to download or open files from un-trusted web sites.

 

REFERENCES:

 

Security Focus:

 

Mozilla Foundation:

 

CVE:

 

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY - posted 6/11/10

CSCIC ADVISORY NUMBER:
2010-042

DATE(S) ISSUED:
6/8/2010

 

SUBJECT:
Vulnerabilities in Media Decompression Could Allow Remote Code Execution (MS10-033)

 

OVERVIEW:
Two vulnerabilities have been discovered in Microsoft Windows that could allow a remote attacker to take complete control of an affected system. The vulnerabilities exist in the way Microsoft Windows handles media files. Exploitation can occur if a user visits a malicious web page or opens a malicious media file. Successful exploitation could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

SYSTEMS AFFECTED:

 

  • Windows 2000

  • Windows XP

  • Windows Server 2003

  • Windows Vista

  • Windows 7

  • Windows Server 2008

  • Windows Server 2008 R2

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
Two vulnerabilities have been discovered in Microsoft Windows that could allow a remote attacker to take complete control of an affected system. Exploitation can occur when Windows processes a media file with specially crafted compression data. Windows systems which use any of the following components are at risk from this vulnerability:

 

  • DirectShow - DirectShow is a component of Windows for streaming media and to perform various operations with media files on Microsoft Windows operating systems.

 

  • DirectX – DirectX is a collection of application programming interfaces for handling tasks related to multimedia on Microsoft platforms.

 

  • Windows Media Format Runtime - Windows Media Format Runtime provides information to applications, such as Windows Media Player.

 

  • Windows Media Encoder - Windows Media Encoder enables developers to convert or capture multimedia content for on-demand delivery (streaming).

 

Any Windows systems running client applications which use either the ‘Asycfilt.dll’ or ‘Quartz.dll’ libraries are vulnerable. Systems where MJPEG files are frequently processed are also at risk of being exploited.

 

Successful exploitation could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Remind users not to download or open files from un-trusted websites.

  • Remind users not to open email attachments from unknown or un-trusted sources.

 

REFERENCES:

 

Microsoft:

 

CVE:

 

Security Focus:

 

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY - posted 6/11/10
 

CSCIC ADVISORY NUMBER:
2010-045
 

DATE(S) ISSUED:
6/8/2010

 

SUBJECT:
Vulnerability in COM Validation in Microsoft Office Could Allow Remote Code Execution (MS10-036)

 

OVERVIEW:
A vulnerability has been identified in Microsoft Office, Microsoft's business application suite. This vulnerability could allow remote code execution if a user opens a specially crafted Office document. The document may be received as an email attachment, or downloaded via the web. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. 

 

SYSTEMS AFFECTED:

 

  • Microsoft Office XP

  • Microsoft Office 2003

  • 2007 Microsoft Office System

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
A vulnerability has been identified in Microsoft Office that could allow an attacker to take complete control of an affected system. This vulnerability can be triggered by opening a specially crafted Excel, PowerPoint, Publisher, Visio, or Word document and can be exploited via email or through the web.

 

In the email based scenario, the user would have to open the specially crafted document as an email attachment. In the web based scenario, a user would have to open the specially crafted document that is hosted on a website. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Remind users not to download or open files from un-trusted websites.

  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

 

 

REFERENCES:

 

Microsoft:

 

 

Secunia:

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY - posted 6/11/10
 

CSCIC ADVISORY NUMBER:
2010-044
 

DATE(S) ISSUED:
6/8/2010

 

SUBJECT:
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (MS10-038)

 

OVERVIEW:
Multiple vulnerabilities have been identified in Microsoft Office Excel, a spreadsheet application. These vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. The file may be received as an email attachment, or downloaded via the web. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

SYSTEMS AFFECTED:

 

  • Microsoft Office XP

  • Microsoft Office 2003

  • 2007 Microsoft Office System

  • Microsoft Office for Mac

  • Microsoft Office 2004 for Mac

  • Microsoft Office 2008 for Mac

  • Open XML File Format Converter for Mac

  • Microsoft Office Excel Viewer

  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
Fourteen vulnerabilities have been identified in Microsoft Office Excel that could allow an attacker to take complete control of an affected system. These vulnerabilities can be triggered by opening a specially crafted Excel file (.XLS) and can be exploited via email or through the web. In the email based scenario, the user would have to open the specially crafted Excel file as an email attachment. In the web based scenario, a user would have to open the specially crafted Excel file that is hosted on a website. When the user opens the Excel file, the attacker's supplied code will execute.

 

Thirteen of these vulnerabilities exist because of the way Microsoft Office Excel parses the Excel file format when processing Excel files. The last vulnerability exists due to the incorrect ACLs being applied to the “/Application” folder on MAC OS X systems. Successful exploitation of any of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to open email attachments from unknown or un-trusted sources.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Consider using the Microsoft Office Isolated Conversion Environment (MOICE - http://support.microsoft.com/kb/935865 ) to mitigate some of the vulnerabilities identified in this advisory.

 

 

REFERENCES:

 

Microsoft:

 

 

CVE:

 

Security Focus:

 

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY - posted 6/11/10

CSCIC ADVISORY NUMBER:
2010-043

 

DATE(S) ISSUED:
6/8/2010

 

SUBJECT:
Cumulative Security Update of ActiveX Kill Bits (MS10-034)

 

OVERVIEW:
Microsoft has released a security update which addresses vulnerabilities discovered in multiple ActiveX controls. ActiveX controls are small programs or animations that are downloaded or embedded in web pages which will typically enhance functionality and user experience. Many web design and development tools have built ActiveX support into their products, allowing developers to both create and make use of ActiveX controls in their programs. There are more than 1,000 existing ActiveX controls available for use today.

 

When vulnerabilities are discovered in ActiveX controls, attackers may use specially crafted web pages to exploit these vulnerabilities. Successful exploitation will result in an attacker gaining the same user privileges as the logged on user. Depending on the privileges associated with this user, an attacker could then install programs; view, change, or delete data; or create new accounts.

 

SYSTEMS AFFECTED:

 

  • Windows 2000

  • Windows XP

  • Windows Server 2003

  • Windows Vista

  • Windows Server 2008

  • Windows 7

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
Microsoft Internet Explorer includes a security feature which will prevent an ActiveX control from being loaded by using registry settings. This is commonly referred to as setting the 'kill bit' of an ActiveX component. Once the kill bit is set, the associated component can never be loaded.

 

These vulnerabilities could allow an attacker to take complete control of an affected system, and could be exploited if a user visits a specifically crafted web page.

 

Successful exploitation could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

This update will set the kill bits for the following Class Identifier (CLSID):

 

Office Excel ActiveX control for Data Analysis (max3activex.dll)

CLSID - 14FD1463-1F3F-4357-9C03-2080B442F503

CLSID - E9CB13DB-20AB-43C5-B283-977C58FB5754

 

This vulnerability for the Microsoft Data Analyzer ActiveX control is not installed by default and requires manual installation by a user.

 

Microsoft Internet Explorer 8 Developer Tools (iedvtool.dll)

CLSID - 8fe85d00-4647-40b9-87e4-5eb8a52f4759

 

Microsoft Internet Explorer 8 Developer Tools are installed and enabled by default for Internet Explorer 8. This vulnerability does not affect hosts running Internet Explorer 6 or Internet Explorer 7 that have Developer tools installed on them.

 

Additionally, this update will set the Class Identifier (CLSID) for the following third party software:

 

Danske eSec ActiveX control

CLSID - F6A56D95-A3A3-11D2-AC26-400000058481

 

PSFormX ActiveX control

CLSID - 56393399-041A-4650-94C7-13DFCB1F4665

 

Ofoto Upload Manager / Kodak Gallery Easy Upload Manager ActiveX Control

CLSID - 6f750200-1362-4815-a476-88533de61d0c

CLSID - 6f750201-1362-4815-a476-88533de61d0c

 

 

CallPilot Unified Messaging ActiveX Control

CLSID - 7F14A9EE-6989-11D5-8152-00C04F191FCA

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate update provided by Microsoft to vulnerable systems immediately after appropriate testing.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Configure Internet Explorer to prompt before running ActiveX Controls or disable ActiveX controls in the Internet Zone.

 

REFERENCES:

 

Microsoft:

 

CVE:

 

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY (posted 6/9/10)

CSCIC ADVISORY NUMBER:
2010-040

 

DATE(S) ISSUED:
6/7/2010

 

SUBJECT:
Multiple Adobe Products are Prone to a Remote Code Execution Vulnerability

 

OVERVIEW:
A vulnerability has been discovered in the Adobe Acrobat, Adobe Reader and Adobe Flash Player applications that could allow attackers to execute arbitrary code on affected systems. Adobe Reader allows users to view Portable Document Format (PDF) files. Adobe Acrobat offers users additional features such as the ability to create PDF files. Adobe Flash Player is a multimedia and application player used to enhance the user experience when visiting web pages or other media which incorporate Flash (.swf) files.

 

Exploitation can occur if a user visits or is redirected to a malicious webpage or if a user opens a malicious file designed to take advantage of this vulnerability, including opening a malicious attachment. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

 

Adobe has indicated that this vulnerability is actively being exploited and there is no patch available at this time.  Adobe has, however, provided mitigation advice.  Please see the Recommendations section below.

 

SYSTEMS AFFECTED:

 

  • Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions.

  • Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions.

 

RISK:


Government:

  • Large and medium government entities: High

  • Small government entities: High

 

Businesses:

  • Large and medium business entities: High

  • Small business entities: High

 

Home users: High

 

DESCRIPTION:
A memory error corruption vulnerability has been identified in multiple Adobe products that could allow for remote code execution when opening maliciously crafted Flash content. The memory error corruption vulnerability is triggered by opening a specially crafted Flash (.swf) file or by opening a .pdf file with embedded malicious Flash content. Adobe Reader 9.x and Adobe Acrobat 9.x products are vulnerable via the 'authplay.dll' which allows those products to view Flash content within PDF files. Successful exploitation may result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with user level of logged on user. Failed exploitation could result in denial-of-service conditions.

 

Adobe has indicated that this vulnerability is being actively exploited over the internet.

 

Adobe is reporting that Flash player 10.1.53.64 RC7, released on June 2, 2010, does not appear to be vulnerable.

Note that Adobe Flash player 10.1.x versions have all been BETA releases.

 

Adobe Reader 8.x and Adobe Acrobat 8.x products are not vulnerable.

 

Adobe has not released a patch for this vulnerability at this time, and is currently recommending users delete, rename or remove access to the 'authplay.dll' that ships with Adobe Reader and Adobe Acrobat 9.x products to mitigate the threat for those products.

 

To disable Flash support in Adobe Reader 9 on Microsoft Windows, delete or rename these files:

 

       "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"

 

To disable Flash support in Adobe Acrobat 9 on Microsoft Windows, delete or rename these files:

 

       "%ProgramFiles%\Adobe\Acrobat 9.0\Acrobat\authplay.dll"

 

The above mitigation steps will result in reduced functionality within Adobe Acrobat and Adobe Reader applications. The file locations listed above may vary due to customized installations.

 

Antivirus Vendors have released signatures that will protect against the currently released exploit.

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Install the appropriate Adobe patch as soon as it becomes available after appropriate testing.

  • Consider disabling Flash support in Adobe Acrobat and Adobe Reader by the steps noted above.

  • Rename or remove access to the ‘authplay.dll’ that ships with Adobe Reader and Adobe Acrobat.

  • Ensure that all antivirus software is up to date with the latest signatures.

  • Deploy network intrusion detection systems to monitor network traffic for malicious activity.

  • If you believe you have been affected by attacks exploiting this vulnerability, please follow your organization's policies for incident reporting.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

 

 

REFERENCES:

 

Adobe:

 

Secunia:

 

Security Focus:

 

VUPEN:

 

CVE:

 

 

NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER SECURITY ADVISORY

CSCIC ADVISORY NUMBER: posted 5/25/10
2010-027 Updated

DATE(S) ISSUED:
4/9/2010

4/15/2010 - UPDATED

5/19/2010 - UPDATED

 

SUBJECT:
Multiple Vulnerabilities in the JRE Java Platform Could Allow Remote Code Execution

 

ORIGINAL OVERVIEW:
Multiple vulnerabilities have been discovered in the Oracle Java (formerly known as Sun Java) Runtime Environment (JRE) that could allow attackers to take complete control of a vulnerable system. The Java Runtime Environment is used to enhance the user experience when visiting web sites and is installed on most desktops and servers. These vulnerabilities may be exploited if a user visits or is redirected to a specifically crafted web page, or opens a specially crafted file. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

 

Proof of concept code for this vulnerability has been published and is publicly available. This code has been verified in our lab in a Windows environment and confirmed to cause remote code execution. Due to the ease in which this vulnerability can be exploited, we believe it is likely that this attack will be seen in the wild.

 

April 15 UPDATED OVERVIEW:
Oracle has indicated that Java Runtime Environment 1.6.0_20 (JRE 6 Update 20) has resolved this vulnerability.  We have tested the JRE 6 Update 20 in our lab environment to confirm that it does resolve this issue.

 

Please note that we have received reports of this vulnerability being used to actively compromise systems on the Internet.

 

May 19 UPDATED OVERVIEW:

Apple has released patches for the vulnerabilities described in this advisory.

 

ORIGINAL SYSTEMS AFFECTED:

 

  • JRE 1.6 Update 10 and Later

 

UPDATED SYSTEMS AFFECTED:

 

  • JRE 1.6 Update 10 - JRE 1.6 Update 19

 

RISK:


Government:

·         Large and medium government entities: High

·         Small government entities: High

 

Businesses:

·         Large and medium business entities: High

·         Small business entities: High

 

Home users: High

 

ORIGINAL DESCRIPTION:
Multiple vulnerabilities have been discovered in the Java Runtime Environment (JRE) applications that could allow attackers to execute remote code on a system. The JRE allows a user to run Java applications, including web programs called applets, which are used on many websites.

 

These remote code execution vulnerabilities are due to insufficient validation of user-supplied input passed to the 'launch' function of the Java Deployment Toolkit plugins and the 'docbase' and 'launchjnlp' parameters of the Java Platform SE plugins. After the input is passed to the plugins, an attacker can exploit these issues to pass arbitrary arguments to the 'javaws.exe' command. This vulnerability can be further leveraged to execute arbitrary JAR or DLL files through the use of the '-J', '-XXaltjvm' and '-J-XXaltjvm' parameters. These vulnerabilities may be exploited if a user visits or is redirected to a specifically crafted web page, or opens a specially crafted file. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

 

The following plugins are affected and installed by default in the JRE:

 

deploytk.dll

This is a Java Development Toolkit plugin for Internet Explorer implemented as an ActiveX control identified by CLSID: {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}

 

npdeploytk.dll
This is a Java Deployment Toolkit plugin for Mozilla Firefox implemented as an Netscape Plugin Application Programming Interface (NPAPI) plugin.

 

npjp2.dll
This is a Java Platform SE plugin for Mozilla Firefox and Google Chrome.

 

jp2iexp.dll
This is a Java Platform SE plugin for Internet Explorer implemented as an ActiveX control identified by CLSID: {8AD9C840-044E-11D1-B3E9-00805F499D93}

 

Please note: At this time, Oracle has not provided a patch.

 

Proof of concept code for this vulnerability has been published and is publicly available. This code has been verified in our lab in a Windows environment and confirmed to cause remote code execution. Due to the trivial nature of this exploit, we believe it is likely that this attack will be seen in the wild.

 

April 15 - UPDATED DESCRIPTION:

Oracle has indicated that Java Runtime Environment 1.6.0_20 (JRE 6 Update 20) has resolved this vulnerability.  We have tested the JRE 6 Update 20 in our lab environment to confirm that it does resolve this issue.

 

Please note that we have received reports of this vulnerability being used to actively compromise systems on the Internet.

 

May 19 UPDATED DESCRIPTION:

Apple has released patches for the vulnerabilities described in this advisory. These patches fix the JRE implementation in Apple’s OS X operating system.

 

 

ORIGINAL RECOMMENDATIONS:

We recommend the following actions be taken:

  • Set the kill bit on the Class Identifier (CLSID) {CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA }; further instructions on how to set the kill bit can be found at the following location ( http://support.microsoft.com/kb/240797 )

  • Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via Group Policy Objects

  •  Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to download or open files from un-trusted websites.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Apply appropriate patches provided by Oracle to vulnerable systems as soon as they become available.

 

May 19 - UPDATED RECOMMENDATIONS:


We recommend the following actions be taken:

  • Systems running JRE 1.6 Update 10 - JRE 1.6 Update 19 should be updated to JRE 1.6 Update 20.

 

ORIGINAL REFERENCES:

Security Focus:
http://www.securityfocus.com/bid/39346

 

 

April 15 - UPDATED REFERENCES: 

 

 

 

 

May 19 - UPDATED REFERENCES: 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 
 
 
 

 

 


 

 

 

 

 

Hit Counter