FYI, www.java.com is still dishing out 1.4.2_05 Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: customer service mailbox [mailto:customerservice@xxxxxxxxxxxx] > Sent: 22 November 2004 18:18 > To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx > Subject: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin > Arbitrary Package Access Vulnerability > > Sun Java Plugin Arbitrary Package Access Vulnerability > > iDEFENSE Security Advisory 11.22.04 > www.idefense.com/application/poi/display?id=158&type=vulnerabilities > November 22, 2004 > > I. BACKGROUND > > Java Plug-in technology, included as part of the Java 2 > Runtime Environment, Standard Edition (JRE), establishes a > connection between popular browsers and the Java platform. > This connection enables applets on Web sites to be run within > a browser on the desktop. More information about Java Plug-in > technology is available from http://java.sun.com/products/plugin/. > > II. DESCRIPTION > > Remote exploitation of a design vulnerability in Sun > Microsystems Inc.'s Java Plug-in technology allows attackers > to bypass the Java sandbox and all security restrictions > imposed within Java Applets. > > A number of private Java packages exist within the Java > Virtual Machine > (VM) and are used internally by the VM. Security restrictions > prevent Applets from accessing these packages. Any attempt to > access these packages, results in a thrown exception of > 'AccessControlException', unless the Applet is signed and the > user has chosen to trust the issuer. > > The problem specifically exists within the access controls of > the Java to Javascript data exchange in web browsers using > Sun's Java Plug-in technology. The vulnerability allows > Javascript code to load an unsafe class which should not > normally be possible from a Java Applet. > > III. ANALYSIS > > Successful exploitation allows remote attackers to execute > hostile Applets that can access, download, upload or execute > arbitrary files as well as access the network. A target user > must be running a browser on top of a vulnerable Java Virtual > Machine to be affected. It is possible for an attacker to > create a cross-platform, cross-browser exploit for this > vulnerability. Once compromised, an attacker can execute > arbitrary code under the privileges of the user who > instantiated the vulnerable browser. > > IV. DETECTION > > iDEFENSE has confirmed the existence of this vulnerability in > Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and > 1.4.2_04 from Sun Microsystems. It is suspected that earlier > versions are vulnerable as well. Various browsers such as > Internet Explorer, Mozilla and Firefox on both Windows and > Unix platforms can be exploited if they are running a > vulnerable Java Virtual Machine. > > V. WORKAROUND > > Disabling Java or JavaScript will prevent exploitation as the > vulnerability relies on the data transfer between the two components. > Other Java Virtual Machines, such as the Microsoft VM, are > available and can be used as an alternative. > > VI. VENDOR RESPONSE > > This issue has been fixed in J2SE v 1.4.2_06 available at: > > http://java.sun.com/j2se/1.4.2/download.html > > VII. CVE INFORMATION > > The Common Vulnerabilities and Exposures (CVE) project has > assigned the name CAN-2004-1029 to this issue. This is a > candidate for inclusion in the CVE list > (http://cve.mitre.org), which standardizes names for security > problems. > > VIII. DISCLOSURE TIMELINE > > 06/29/2004 Initial vendor notification > 06/30/2004 Initial vendor response > 08/16/2004 iDEFENSE clients notified > 11/22/2004 Public disclosure > > IX. CREDIT > > Jouko Pynnonen (jouko[at]iki.fi) is credited with this discovery. > > Get paid for vulnerability research > http://www.idefense.com/poi/teams/vcp.jsp > > X. LEGAL NOTICES > > Copyright (c) 2004 iDEFENSE, Inc. > > Permission is granted for the redistribution of this alert > electronically. It may not be edited in any way without the > express written consent of iDEFENSE. If you wish to reprint > the whole or any part of this alert in any other medium other > than electronically, please email > customerservice@xxxxxxxxxxxx for permission. > > Disclaimer: The information in the advisory is believed to be > accurate at the time of publishing based on currently > available information. Use of the information constitutes > acceptance for use in an AS IS condition. > There are no warranties with regard to this information. > Neither the author nor the publisher accepts any liability > for any direct, indirect, or consequential loss or damage > arising from use of, or reliance on, this information. >
