Re: Java - JRE, SDK Java Web Start



Hello Sapa3a, so if I wrote called that would place a called down c:\program files\myprogram\jre\1.5.0_09 and then convinced a user to run in it "Internet Explorer" or possible Outlook, or just good old "Windows" you don't think I could exploit a vulnerability in that version?

I know with the Sun Java Web Start vulnerability there are several workaround if you can't update to the newest version of jre

To work around this vulnerability, if you are not actively using Java WebStart, remove the .jnlp content type association in your registry:

- HKLM:Software\Classes\.jnlp
- HKLM:Software\Classes\JNLPfile
- HKLM:Sofrware\Classes\MIME\Database\Content Type\application/x-java-jnlp-file

By deleting these registry keys, Java WebStart will no longer be used to open .jnlp files, thereby mitigation this vulnerability.

Other work abounds

- Disable Java Web Start applications from being launched from a web browser:
Internet Explorer:
Right click on the "Start" button and select "Explore"
In the "Start Menu" window, select "Tools" => "Folder Options"
From the "Folder Options" window, select the "File Types" tab
From the "Registered File Types" window, scroll down and locate the
"JNLP - JNLP File"
Select the "JNLP - JNLP File" and click the "Delete" button

- On Windows, applications may also be launched from the desktop icon or from the "Start" menu if a shortcut was previously created for an application. Unknown applications should not be launched through the desktop icon or the Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove Shortcut" menu item. For more information, see:

http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/overview.html

- It is also possible to launch applications through the command line in Windows. Unknown applications should not be launched through the command line. Sites may consider renaming the Java Web Start launcher ("javaws.exe" for Windows) to prevent Java Web Start from launching.

The launcher can be found at C:\Program Files\java\j2re1.5.0\javaws\javaws.exe (or down my path c:\program files\myprogram\jre\1.5.0_09\javaws.exe)

Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
Patch Information http://www.securityfocus.com/archive/1/archive/1/473224/100/0/threaded

Security Focus - http://www.securityfocus.com/bid/24832

So I think JRE can be exploited directly on a "WINDOWS" system

Best Regards --John

-------------- Original message ----------------------
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Dear jfvanmeter@xxxxxxxxxxx,

Vulnerability in JRE itself can not be exploited directly. It can only
be exploited through some JAVA-enabled application, browser in most
cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in
JRE can only be exploited in case vulnerability is in in some function
used with remote user-supplied arguments. It's rare enough case for
Java. In this case, I believe, Cisco (or write any different vendor
here) should issue an update for it's software. It's not necessary for
Cisco to update software every time JRE is updated, if vulnerability
doesn't affect Cisco product installation.

--Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-dev@xxxxxxxxxxxxxxxxx:

jcn> How does everyone feel about java being installed by vendors
jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\
jcn> and never patching it.

jcn> I ran an enterprise scan to looking for javaws.exe and found
jcn> it in 175 unique paths. Should they be held accountable for the
jcn> patching of java when they install it?

jcn> I had one vendor who installed java 1.3 and 1.4, and when I
jcn> ask them about it. There statement was ?you don?t have the modules
jcn> that require those versions you can just delete them?

jcn> How does everyone patch Java that is not installed in its default location?


--
~/ZARAZA http://securityvulns.com/