// back

Oracle Java SE JavaFx D3DShader Invalid Type Cast Vulnerability

01.02.13

BACKGROUND

Oracle's JavaFX is a software platform for creating cross-platform rich Internet applications (RIAs) was developed using the Java programming language or JavaFX script. It is bundled with Java Runtime Environment (JRE) and Java Development Kit since Java SE 7 Update 2. For Java SE 6, it is available to be downloaded separately from Oracle's website. For more information, please visit the vendor's website at:

http://www.oracle.com/technetwork/java/javafx/index.html

DESCRIPTION

Remote exploitation of an invalid type cast vulnerability in Oracle Corp.'s JavaFX software platform could allow an attacker to execute arbitrary code with the privileges of the current user.

The vulnerability exists within the D3DShader class of the com.sun.prism.d3d package in the JavaFX library. The init() method of this public class will take an arbitrary user-supplied value as an object pointer. This can lead to arbitrary code execution under the context of the current process.

ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the current user. In order to exploit this vulnerability, a user must load a Web page containing a specially crafted Java applet or Java Web Start application. After the user visits the malicious Web page, no further user interaction is needed. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. Typical social engineering attacks will pass URLs as part of instant messages or e-mail.

DETECTION

JavaFX 2.2.4 and prior are vulnerable.

WORKAROUND

Disable the Java plug-in in Internet Explorer, Firefox, Safari, Opera and Google Chrome. This workaround will prevent Java Applet and Java Web Start applications from running from websites, but will not affect regular Java applications.

VENDOR RESPONSE

Oracle has released a fix which addresses this issue. For more information, consult their advisory at the following URL:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013verbose-1841196.html

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-4301 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

11/16/2012 Initial Vendor Notification
11/19/2012 Initial Vendor Reply
02/01/2013 Coordinated Public Disclosure

CREDIT

This vulnerability was reported to iDefense by Vitaliy Toropov.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2013 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense Verisign. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.