1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: Java Deployment Toolkit Input Validation CVE-2010-0886 2

Web Attack: Java Deployment Toolkit Input Validation CVE-2010-0886 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature will detect a Insufficient Validation vulnerability in Java Deployment Toolkit ActiveX Control.

Additional Information

Java Deployment Toolkit Performs Insufficient Validation of Parameters
-------------------------------------------------------------------------

Java Web Start (henceforth, jws) provides java developers with a way to let
users launch and install their applications using a URL to a Java Networking
Launching Protocol (.jnlp) file (essentially some xml describing the
program).

Since Java 6 Update 10, Sun has distributed an NPAPI plugin and ActiveX control
called "Java Deployment Toolkit" to provide developers with a simpler method
of distributing their applications to end users. This toolkit is installed by
default with the JRE and marked safe for scripting.

The launch() method provided by the toolkit object accepts a URL string, which
it passes to the registered handler for JNLP files, which by default is the
javaws utility.

Affected

  • Java 6 Update 10
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube