Two researchers released information on a vulnerability in Sun's Java Runtime Environment that could give attackers a new point of attack to perform drive-by-downloads and compromise targeted clients on all current versions of Windows operating systems and several popular browsers.
Security Researcher Tavis Ormandy posted a description of the flaw to the full disclosure mailing list of seclist.org today. The vulnerability originates in the browser plug-in Java Deployment Toolkit, which is installed automatically alongside Java Runtime Environments since version 6 update 10 into browsers like Microsoft Internet Explorer, Mozilla Firefox or Google Chrome. The method launch in the toolkit enables an attacker to execute Java's Web Start Launcher with arbitrary parameters. Ormandy provided a proof-of-concept web page that loads and executes a JAR file he placed on his web page.
Only a few hours later, Researcher Rubén Santamarta released information on how to load an arbitrary remote DLL by combining the aforementioned flaw with the parameter -XXaltjvm to substitute the loaded JVM library. According to Santamarta he was able to bypass security measures DEP and ASLR given that the DLL is directly loaded into the process memory of Web Start Launcher. As Java is installed on a great percentage of clients, the exploit could quickly become popular with computer criminals around the globe. Particularly, since it is functional in the most popular browsers regardless of the security measures introduced in Windows Vista and 7.
As a workaround to prevent exploitation of this flaw, users are advised to disable Java Web Start in their browsers. In Microsoft's Internet Explorer this can be established by setting the kill bit of the ActiveX class ID 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' (MS advisory).