An unresolved security flaw in Java Web Start could be putting millions of Windows users at risk. The bug – discovered by Tavis Ormandy – allows arbitrary options to be passed to the Java virtual machine via the javaws command line application. This gives an attacker the opportunity to execute malign JAR files on the victim’s computer.

Tavis informed Sun (now owned by Oracle) about this problem, but states they did not consider the vulnerability to be important enough to break their quarterly patch cycle. Given how easily the flaw was discovered, Tavis disagreed and published his advice to temporarily disable the affected control until it gets fixed.

All versions since Java SE 6 Update 10 for Windows are believed to be vulnerable. Working exploits for this vulnerability are now in the public domain, so it is important to apply one of the workarounds suggested by Tavis:

• Internet Explorer users can be protected by temporarily setting the killbit on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA.
• Mozilla Firefox and other NPAPI based browser users can be protected using File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be managed via GPO.

Full details can be found in Ormandy’s post to the Full Disclosure mailing list.

Netcraft’s Web Server Survey shows that Java Web Start is very seldom used by websites, so there is perhaps little to be lost by disabling JNLP support completely. Only 0.002% of the active sites in the April 2010 survey used JNLP technology on their homepages, whereas 0.26% of homepages contained traditional Java Applets.

Although Java usage is growing amongst mobile devices, and continues to remain strong as a server-side technology, it appears to have lost the battle for interactive client-side desktop browser technology. The combined share of JNLP and Applets pales into insignificance when compared with Adobe Flash, which is now found on more than 15% of all homepages.