Sun releases patch to address a number of serious vulnerabilities

Sun releases patch to address a number of serious vulnerabilities

Summary: Sun released an update today to cover numerous vulnerabilities within the JDK/JRE.The following vulnerabilities were reported as patched:Two security vulnerabilities in the Java Runtime Environment Virtual Machine may independently allow an untrusted application or applet that is downloaded from a website to elevate its privileges.

SHARE:

Sun LogoSun released an update today to cover numerous vulnerabilities within the JDK/JRE.

The following vulnerabilities were reported as patched:

  • Two security vulnerabilities in the Java Runtime Environment Virtual Machine may independently allow an untrusted application or applet that is downloaded from a website to elevate its privileges.  For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet. (CVE-2008-1185, CVE-2008-1186)
  • A security vulnerability in the Java Runtime Environment (JRE) with the processing of XSLT transformations may allow an untrusted applet or application that is downloaded from a website to elevate its privileges.  For example, an applet may read certain unauthorized URL resources (such as some files and web pages) or potentially execute arbitrary code.  This vulnerability may also be exploited to create a Denial-of-Service (DoS) condition by causing the JRE to crash. (CVE-2008-1187)
  • Three buffer overflow vulnerabilities in Java Web Start may independently allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges.  For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. (CVE-2008-1188, CVE-2008-1189)
  • A vulnerability in Java Web Start may allow an untrusted Java Web Start application to elevate its privileges.  For example, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. (CVE-2008-1190)
  • A vulnerability in Java Web Start may allow an untrusted Java Web Start application to create files on the system that the untrusted application runs on and leverage these files to run local applications with the privileges of the user running the untrusted Java Web Start application. (CVE-2008-1191)
  • A security vulnerability in the Java Plug-in may allow an applet that is downloaded from a website to bypass the same origin policy and leverage this flaw to execute local applications that are accessible to the user running the untrusted applet. (CVE-2008-1192)
  • A vulnerability in the Java Runtime Environment image parsing library may allow an untrusted application or applet that is downloaded from a website to elevate its privileges.  For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet. (CVE-2008-1193)
  • Two vulnerabilities in the color management library may allow an untrusted applet or application to cause the Java RuntimeEnvironment to crash, which is a type of Denial of Service (DoS). (CVE-2008-1194)
  • A vulnerability in the Java Runtime Environment may allow JavaScript code that is downloaded by a browser to make connections to network services on the system that the browser runs on, through Java APIs.  This may allow files (that are accessible through these network services) or vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. (CVE-2008-1195)
  • A buffer overflow vulnerability in Java Web Start may allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges. For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. (CVE-2008-1196)

Affected Versions:

  • JDK and JRE 6 Update 5
  • JDK and JRE 5.0 Update 15
  • SDK and JRE 1.4.2_17
  • SDK and JRE 1.3.1_22

Obviously some of these are very serious issues and I expect that we will see some great proof of concept code shortly that I will also talk about here.

-Nate

Topics: Open Source, Apps, Oracle, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Cross-platform drive-by downloads...

    ...brought to you by Sun!
    toadlife
  • Link?!?

    A link would be nice so I could be sure I have the patches. The Java control panel update functionality did update when I asked it to but it says Version 6 Update 5 (build 1.6.0_05-b13) is the latest available. Your article says JRE 6 Update 5 is vulnerable. So considering Sun's site is useless when you want to find something without spending hours, do you have a link to patches that are not part of the built in updating or is there a mistake in the article and JRE6U5 b13 has these patches applied?
    BP314
    • Re: link

      sorry, posted in a rush. I'll include a link later.
      nmcfeters
    • RE: Link

      http://www.securityfocus.com/bid/28083/info

      This link should have all the info you need. If you look in the
      "Solutions" section, it has links to Java's site that should give
      you more relevant info.

      -Nate
      nmcfeters
      • Thank You. (NT)

        (NT)
        BP314
        • RE: Thank You

          No problem, sorry I didn't post it in the original, just got so busy right before I left and wanted to get the story out.

          -Nate
          nmcfeters
  • This has got to have been the most informative article I have read.

    It shure is amazing just how much history these folks and Microsoft have held up to control this much information flow. What is everyonelse doing to adapt to Sun Microsystems and Microsoft?
    rtirman37@...
  • RE: Sun releases patch to address a number of serious vulnerabilities

    Your information is incorrect, JDK and JRE 6 Update 5 is not affected.

    That was the version that was released to fix these issues.

    http://www.securityfocus.com/bid/28083/info
    http://secunia.com/advisories/29239/
    Linux Geek
    • RE:

      My information came from the same securityfocus advisory. So unless they've since updated their data, my information is correct.
      nmcfeters
      • Somebody's got it wrong

        Not Vulnerable:Sun JRE 6.0 Update 5

        Security Focus

        Affected Versions:

        * JDK and JRE 6 Update 5

        ZDNET

        Vulnerable software and versions

        − Sun, JRE, 6 Update 4, and previous

        NVD: CVE-2008-1187

        The following vulnerabilities were reported as patched:

        (CVE-2008-1187)

        ZDNET
        FreewheelinFrank
        • RE:

          I would go with what is on Security Focus. It's possible that they updated their info. I copied and pasted that piece from that site earlier. I'll update the blog now.

          -Nate
          nmcfeters
        • It IS 1.6.0.4 or earlier....1.6.0.5 IS the fix.

          And even 1.6.0.4 was only a developer version to fix development bugs but was NEVER released on the end-user site. Sun essentially went from 1.6.0.3 to 1.6.0.5.

          1.6.0.5 IS the fix. The above article is incorrect.
          :-)
          dunn@...
  • still just a windoze vulnerability

    There is no need for Linux to panick since there is no atack vector for it.
    Linux Geek
  • RE: still just a windoze vulnerability

    How do you figure this?

    The securityfocus advisory mentions *Nix as well. Not sure where you are getting your information, but it looks vulnerable to at least some of the issues on *Nix as well.

    -Nate
    nmcfeters
    • The article could have been about cotton candy

      that poster will still draw Windows into it fairly or not just to bash and forward own agenda. You won't get much mileage elsewhere, just a straight shot.
      Boot_Agnostic