RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability
FYI, www.java.com is still dishing out 1.4.2_05
Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: customer service mailbox [mailto:customerservice@xxxxxxxxxxxx]
> Sent: 22 November 2004 18:18
> To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx
> Subject: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin
> Arbitrary Package Access Vulnerability
>
> Sun Java Plugin Arbitrary Package Access Vulnerability
>
> iDEFENSE Security Advisory 11.22.04
> www.idefense.com/application/poi/display?id=158&type=vulnerabilities
> November 22, 2004
>
> I. BACKGROUND
>
> Java Plug-in technology, included as part of the Java 2
> Runtime Environment, Standard Edition (JRE), establishes a
> connection between popular browsers and the Java platform.
> This connection enables applets on Web sites to be run within
> a browser on the desktop. More information about Java Plug-in
> technology is available from http://java.sun.com/products/plugin/.
>
> II. DESCRIPTION
>
> Remote exploitation of a design vulnerability in Sun
> Microsystems Inc.'s Java Plug-in technology allows attackers
> to bypass the Java sandbox and all security restrictions
> imposed within Java Applets.
>
> A number of private Java packages exist within the Java
> Virtual Machine
> (VM) and are used internally by the VM. Security restrictions
> prevent Applets from accessing these packages. Any attempt to
> access these packages, results in a thrown exception of
> 'AccessControlException', unless the Applet is signed and the
> user has chosen to trust the issuer.
>
> The problem specifically exists within the access controls of
> the Java to Javascript data exchange in web browsers using
> Sun's Java Plug-in technology. The vulnerability allows
> Javascript code to load an unsafe class which should not
> normally be possible from a Java Applet.
>
> III. ANALYSIS
>
> Successful exploitation allows remote attackers to execute
> hostile Applets that can access, download, upload or execute
> arbitrary files as well as access the network. A target user
> must be running a browser on top of a vulnerable Java Virtual
> Machine to be affected. It is possible for an attacker to
> create a cross-platform, cross-browser exploit for this
> vulnerability. Once compromised, an attacker can execute
> arbitrary code under the privileges of the user who
> instantiated the vulnerable browser.
>
> IV. DETECTION
>
> iDEFENSE has confirmed the existence of this vulnerability in
> Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and
> 1.4.2_04 from Sun Microsystems. It is suspected that earlier
> versions are vulnerable as well. Various browsers such as
> Internet Explorer, Mozilla and Firefox on both Windows and
> Unix platforms can be exploited if they are running a
> vulnerable Java Virtual Machine.
>
> V. WORKAROUND
>
> Disabling Java or JavaScript will prevent exploitation as the
> vulnerability relies on the data transfer between the two components.
> Other Java Virtual Machines, such as the Microsoft VM, are
> available and can be used as an alternative.
>
> VI. VENDOR RESPONSE
>
> This issue has been fixed in J2SE v 1.4.2_06 available at:
>
> http://java.sun.com/j2se/1.4.2/download.html
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the name CAN-2004-1029 to this issue. This is a
> candidate for inclusion in the CVE list
> (http://cve.mitre.org), which standardizes names for security
> problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 06/29/2004 Initial vendor notification
> 06/30/2004 Initial vendor response
> 08/16/2004 iDEFENSE clients notified
> 11/22/2004 Public disclosure
>
> IX. CREDIT
>
> Jouko Pynnonen (jouko[at]iki.fi) is credited with this discovery.
>
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
>
> X. LEGAL NOTICES
>
> Copyright (c) 2004 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the
> express written consent of iDEFENSE. If you wish to reprint
> the whole or any part of this alert in any other medium other
> than electronically, please email
> customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be
> accurate at the time of publishing based on currently
> available information. Use of the information constitutes
> acceptance for use in an AS IS condition.
> There are no warranties with regard to this information.
> Neither the author nor the publisher accepts any liability
> for any direct, indirect, or consequential loss or damage
> arising from use of, or reliance on, this information.
>