RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx
Subject: RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability
From: "Randal, Phil" <prandal@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Nov 2004 11:49:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

FYI,  www.java.com is still dishing out 1.4.2_05

Phil

----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: customer service mailbox [mailto:customerservice@xxxxxxxxxxxx] 
> Sent: 22 November 2004 18:18
> To: bugtraq@xxxxxxxxxxxxxxxxx; vulnwatch@xxxxxxxxxxxxx
> Subject: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin 
> Arbitrary Package Access Vulnerability
> 
> Sun Java Plugin Arbitrary Package Access Vulnerability
> 
> iDEFENSE Security Advisory 11.22.04
> www.idefense.com/application/poi/display?id=158&type=vulnerabilities
> November 22, 2004
> 
> I. BACKGROUND
> 
> Java Plug-in technology, included as part of the Java 2 
> Runtime Environment, Standard Edition (JRE), establishes a 
> connection between popular browsers and the Java platform. 
> This connection enables applets on Web sites to be run within 
> a browser on the desktop. More information about Java Plug-in 
> technology is available from http://java.sun.com/products/plugin/.
> 
> II. DESCRIPTION
> 
> Remote exploitation of a design vulnerability in Sun 
> Microsystems Inc.'s Java Plug-in technology allows attackers 
> to bypass the Java sandbox and all security restrictions 
> imposed within Java Applets.
> 
> A number of private Java packages exist within the Java 
> Virtual Machine
> (VM) and are used internally by the VM. Security restrictions 
> prevent Applets from accessing these packages. Any attempt to 
> access these packages, results in a thrown exception of 
> 'AccessControlException', unless the Applet is signed and the 
> user has chosen to trust the issuer.
> 
> The problem specifically exists within the access controls of 
> the Java to Javascript data exchange in web browsers using 
> Sun's Java Plug-in technology. The vulnerability allows 
> Javascript code to load an unsafe class which should not 
> normally be possible from a Java Applet.
> 
> III. ANALYSIS
> 
> Successful exploitation allows remote attackers to execute 
> hostile Applets that can access, download, upload or execute 
> arbitrary files as well as access the network. A target user 
> must be running a browser on top of a vulnerable Java Virtual 
> Machine to be affected. It is possible for an attacker to 
> create a cross-platform, cross-browser exploit for this 
> vulnerability. Once compromised, an attacker can execute 
> arbitrary code under the privileges of the user who 
> instantiated the vulnerable browser.
> 
> IV. DETECTION
> 
> iDEFENSE has confirmed the existence of this vulnerability in 
> Java 2 Platform, Standard Edition (J2SE) 1.4.2_01 and 
> 1.4.2_04 from Sun Microsystems. It is suspected that earlier 
> versions are vulnerable as well. Various browsers such as 
> Internet Explorer, Mozilla and Firefox on both Windows and 
> Unix platforms can be exploited if they are running a 
> vulnerable Java Virtual Machine.
> 
> V. WORKAROUND
> 
> Disabling Java or JavaScript will prevent exploitation as the 
> vulnerability relies on the data transfer between the two components.
> Other Java Virtual Machines, such as the Microsoft VM, are 
> available and can be used as an alternative.
> 
> VI. VENDOR RESPONSE
> 
> This issue has been fixed in J2SE v 1.4.2_06 available at:
> 
>    http://java.sun.com/j2se/1.4.2/download.html
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the name CAN-2004-1029 to this issue. This is a 
> candidate for inclusion in the CVE list 
> (http://cve.mitre.org), which standardizes names for security 
> problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 06/29/2004   Initial vendor notification
> 06/30/2004   Initial vendor response
> 08/16/2004   iDEFENSE clients notified
> 11/22/2004   Public disclosure
> 
> IX. CREDIT
> 
> Jouko Pynnonen (jouko[at]iki.fi) is credited with this discovery.
> 
> Get paid for vulnerability research
> http://www.idefense.com/poi/teams/vcp.jsp
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2004 iDEFENSE, Inc.
> 
> Permission is granted for the redistribution of this alert 
> electronically. It may not be edited in any way without the 
> express written consent of iDEFENSE. If you wish to reprint 
> the whole or any part of this alert in any other medium other 
> than electronically, please email 
> customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be 
> accurate at the time of publishing based on currently 
> available information. Use of the information constitutes 
> acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. 
> Neither the author nor the publisher accepts any liability 
> for any direct, indirect, or consequential loss or damage 
> arising from use of, or reliance on, this information.
>

Prev by Date: Re: Changes to the filesystem while find is running - comments?
Next by Date: Re: Changes to the filesystem while find is running - comments?
Previous by thread: RE: iDEFENSE Security Advisory 11.22.04: Sun Java Plugin Arbitrar y Package Access Vulnerability
Next by thread: Fotolog.net cross-site scripting vulnerabilities [RLSA_05-2004]
Index(es):
- Date
- Thread