Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /var/www/hosts/cases/inc/refcount_alerts.php on line 23
CASEScontact.org advisory - Sun updates for command execution and information disclosure vulnerabilities in Java
Just the facts
     
Title   CASEScontact.org advisory - Sun updates for command execution and information disclosure vulnerabilities in Java
Description   The Java Runtime Enviornment software contains multiple vulnerabilities that could allow:
  1. multiple unspecified errors in Java Runtime Environment, may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system, tricking a user into dragging and dropping a file from an applet to a desktop application that has the proper permissions.
  2. unspecified errors in Java Web Start, which could allow an untrusted application to determine the location of the Java Web Start cache, or read and write local files that are accessible to the user running the untrusted application.
  3. unspecified errors in the Java Runtime Environment, which could be exploited by a malicious appleta applet or by using Java APIs to establish network connections to certain services on machines other than the originating host.
CyTRAP Labs ID   CT110115
Last update   2007-10-05
Vendor   Sun Java Runtime Environment
Original release date   2007-10-04
Date disclosed   2006-10-04
Date patched   2007-10-04
Source  
Systems affected   The vulnerabilities are reported in the following versions:
  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

OPERATING SYSTEMS
Regardless if you run the above programs under :

  1. Windows 2000, XP, Vista,
  2. Windows 2003 Server
the vulnerabilities apply!
Remember, most PCs have this software installed since many webpages require Java to allow the user a good surfer experience.

IMPORTANT
Java Runtime Environment must be removed from a PC before the update/later released is installed ==> see section OTHER ACTIONS below on how to do it - fast and easy.
Version number   1.0
ISSN   1603-9858
Verify threat   http://casescontact.org/alerts/110115
Risk assessment   4
 

Why not get new tips and alerts by e-mail directly to your in-box? It's much more convenient:

Your email: or press here.
 

What is the problem?
     
     
How does it affect me?   _Should I Worry?

  1. The Threat
    is that the attack might proceed without the user even being aware of it.
    JRE allows users to run Java applications in a browser or as standalone programs, hence it is very widely used on webpages and most likely every PC has a version or several of these installed (see further below how to upgrade and remove all of them except the latest one - VERY important).

  2. Vulnerability
    in Java Runtime Environment is caused by multiple vulnerabilities that are due:
    1. multiple unspecified errors in Java Runtime Environment
    2. unspecified errors in Java Web Start,

  3. Impact
    is such that a remote attacker could exploit the above vulnerabilities as follows:
    • may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system,
    • tricking a user into dragging and dropping a file from an applet to a desktop application that has the proper permissions,
    • allow an untrusted application to determine the location of the Java Web Start cache, or read and write local files that are accessible to the user running the untrusted application,
    • could be exploited by a malicious applet or by using Java APIs to establish network connections to certain services on machines other than the originating host.

CyTRAP Labs rates the risk as highly critical (4 on a five point scale) in part because of the following reasons:

  1. user may not even realize that the vulnerability is being exploited on his or her machine, AND
  2. social engineering attack can also take place where user is being tricked to open a specially crafted file to get infected,
  3. there does not seem to be a work around available except for downloading and installing the new version of the program
If one falls prey to this type of attack, the impact is worrisome indeed, hence we rated it as a highly worrisome threat (ie. 4 out of a 5 point scale)
     
Systems affected   The vulnerabilities are reported in the following versions:
  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

OPERATING SYSTEMS

Regardless if you run the above programs under :

  1. Windows 2000, XP, Vista,
  2. Windows 2003 Server
the vulnerabilities apply!
Remember, most PCs have this software installed since many webpages require Java to allow the user a good surfer experience.
     
 

Minimize your exposure to this threat - follow the steps outlined below
     
Much Gain - Little Pain - Do this   For Firefox users there is an additional add on that you might want to use to allow trusted sites only to execute scripts in your browser. Instructions for checking if you have it installed as well as where to get it you find here:

CyTRAP Labs choice - Free Tool for Firefox, Mozilla and SeaMonkey - Allowing JavaScript and Java execution at trusted sites only  

     
How do I fix it   CyTRAP Labs recommends that you upgrade to Java Runtime Environment Version 6 Update 3 (filesize: ~7.1MB)

- Updating your Java Runtime Environment to Version 6 - Update 3

 
     
Other Actions   REMOVE OLDER VERSIONS BEFORE INSTALLING LATEST ONE

Can I remove older versions of the JRE after installing a newer version? Yes you can please check here - buttom of posting for exact instructions:


- CyTRAP Labs - Removing Java Runtime Environment in Windows - uninstallation instructions

Please remember that there could be several versions of the Java Runtime Environment be running on your machine. You have to uninstall older ones, since the exploit may ask to use the vulnerable version and if it is still on your machine, you are in trouble -- even if you installed the latest patched version!
     
Additional risk minimization   How can one find out that one has several versions of Java Runtime Environment running on one's machine?
CyTRAP Labs - Removing Java Runtime Environment in Windows - uninstallation instructions - checking if several versions are running on a PC
   
 

If you need more information, please read on. Otherwise follow the steps outlined above.
     
Source   Vulnerabilitiy reported by Sun
Source URL   http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1, http://sunsolve.sun.com/search/document.do?assetkey=1-26-1030
Source date   2007-10-04
Other source   Vulnerability reported by Sun
Other source URL   http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1, http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1,
Other source date   2007-10-04
More information   Vulnerabilities reported by Peter Csepely, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, David Byrne and Billy Rios.
CVE   Generic only
CyTRAP labs ID   CT 110115
 

CYTRAP resources - check it out - because it will help you better protect yourself
     
Related tips  

Glossary   Please either sign in by clicking on 'Login as a guest' to get the definition, no registration required or else get a free registration to get access, its worth it.

Del.icio.us   Was this alert helpful to you? If yes, why not bookmark it at Del.icio.us
     
Technorati tags  

, , , , , , , ,, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,


Administrative
     
Author   Urs E. Gattiker - CyTRAP Labs
     
Revisions  
  • 1.1 - 2007-10-05 - First Version
    • Contact details   Web: http://CASEScontact.org
    E-mail: support01 at CASEScontact.org

    Tel: +41(0)76-200-7778 or + 44(0)70-9237-6036
    Fax: +44(0)70-9237-6036, dial 3 send fax
     

    --END of ADVISORY - Important Info Below--
     
    We recommend that you VERIFY ALL ADVISORIES you receive IMMEDIATELY, by clicking on the link provided at the top of this alert.

    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    Ride the rollercoaster successfully by subscribing to our alerts, tips, tools and skills training receiving them either via:

    1) e-mail
    2) RSS feeds, or else, just get a
    3) free skills tune-up


    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    CASES writers & sponsors do not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
    Full DISCLAIMER notice at: http://www.casescontact.org/terms.php

    UNSUBSCRIBE
    If you no longer wish to receive this THREAT ALERT, please Unsubscribe at:
    http://www.casescontact.org/unsubscribe.php

    QUESTIONS, comments, ideas? Cheer us up at:Alerts-Comments at CASEScontact.org

    CASEScontact.org -- Threat Alerts and Security Notices --clear and precise, no compromise -
    --currently hosted by Flashcable
    -- END of THREAT ALERT --
    Copyright (c) 2007 by CyTRAP labs - Urs E. Gattiker. All rights reserved.