Internet Security Systems - AlertCon(TM)

Review of the Java Web Start Jailbreak Vulnerability

Posted by By Mike Montecillo and Craig Billado on July 12, 2010 at 5:34 AM EDT.

There has been a lot of buzz within the security community of late regarding vectors for exploitation via browser plugins and technologies meant to enhance the web experience.  In order to help determine the extent of these problems, the Threat Analysis division of IBM Managed Security Services has focused heavily on researching emerging issues in browser-based technologies. This particular post focuses on a review of issues regarding an argument injection vulnerability affecting Sun Java JRE/JDK version  6.19 and earlier (CVE-2010-1423).


This vulnerability, when successfully exploited could allow (and has allowed) those with malicious intent to execute arbitrary code on a victim's system which in turn allows the attacker to deliver malware to those victims. In order to better grasp the gravity that an issue such as this can have, IBM Managed Security Services (MSS) reviewed a month-long time period beginning shortly after the vulnerability was announced. Rather frighteningly MSS discovered that within that timeframe (April 21 through May 26)  4,118 attacks against the CVE-2010-1423 vulnerability were observed.

Figure 1: Event volume 21 April 2010 – 26 May 2010


In addition to the large volume of attacks, MSS also observed the attacks distributed amongst 161 source IP addresses with the top 10 of those IP addresses generating roughly 44% of all of the events observed.  In addition, 3,847 domain names were observed in the attacks, of which 80% belonged to the top-level domains .ru or .info.

These domains were further researched to determine what the malicious intent of each individual website was.  This lead MSS to notice a few things, first most of these sites did not function over more common web application TCP ports e.g. 80/TCP or 443/TCP. Rather most of the sites leveraged less common ports such as 8080/TCP.

Next MSS noticed that a large portion of these sites had been previously cataloged as malicious.  This is not unusual as many of these sites leverage multiple exploits via multiple pages within the same domain. In addition, these sites can be notoriously difficult to shutdown based on several factors (on a positive side though, it does make filtering of those sites fairly simple). 

Finally, it was observed that most of the malicious sites were associated with the Fragus Exploit Kit.  Fragus is a console application for managing and cultivating botnets.  It has an arsenal of popular exploits that it will direct against visiting web browsers.  If an attack is successful, the victim becomes a member of the botnet and can be controlled by the Fragus console. Fragus can be purchased for $800 or can be found widely available for download around the Internet.

The moral of the story is that there are a lot of nasty sites out there ready and waiting to exploit not only the widely publicized vulnerabilities, but also the relatively mundane. Furthermore, while the vastness of an attack may seem daunting from the outset, the underlying attack mechanism (and in many cases the delivery model for those mechanisms) may be relatively simplistic and easy to trace. Here we found a mere exploit tool as the culprit for a fair amount work generated for MSS.  Unfortunately the exploit tool is just one of many. There exist hundreds of other examples of this issue that is most often seen in the generic mundane dealings of a security professional. 

So stay sharp, keep content filters up-to-date, and Intrusion Prevention Systems tuned…these concerns aren’t going away anytime soon.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.