Sun Java Security Issue with Javascript

From: Mungo (reallydontmail_at_me.com)
Date: 11/26/04 

Date: Fri, 26 Nov 2004 18:07:47 GMT

Sun has let be known that the 1.4_05 version of their jre opens all
browsers using it to a possible exploit (Netscape, Mozilla, Firefox and IE
(if you have checked the box in Internet Options to use Sun Java).

See:

http://www.infoworld.com/article/04/11/24/HNsunhot_1.html

and/or

http://isc.sans.org//diary.php?date=2004-11-23

Although Sun released the information, no reference to this issue seems to
exist on their own Sun or java.sun websites. (Maybe we didn't look hard
enough, though).

In a cruel twist of fate, Microsoft IE is not susceptible to the problem if
you use their Java VM (of course, one of the other IE vulnerabilities will
probably get you first anyway).

The reason that this is very serious is that there is no normal update
channel which prods users to patch their jre. Upgrading to the _06 is
pretty easy for most of us, but imagine the user who doesn't have any idea
as to how to change his/her browser from _05 or less to the _06 version
after the _06 is installed.

If this proves to result in a viable exploit, a little vendor support
(Debian,RedHat,Suse, Open/Free-bsd,etc or Sun themselves) is in order here
to get a plugin upgrade installer out there for whichever version of
browser they distribute. The latter will minimize damage to the reputation
of non-MS systems if this vuln spawns serious exploits.

The extent that malicious applets can access system functions is not clear
from the articles (assuming you don't browse as root, which I hope few if
any would do).

... mungo

Relevant Pages

  • Re: IE & applets
    ... using a version that is too new for the browser. ... IE's version of Java ... >> has been the central issue in multiple lawsuits against MS by Sun. ... to download version 1.1 from Sun and use it to create your applet. ...
    (comp.lang.java.help)
  • Re: this.showStatus not working...
    ... apparently a bug. ... OTOH - I guess Sun would have every right to mark ... As a general comment on applets though. ... and browser if the browser/Java versions are different ...
    (comp.lang.java.programmer)
  • Re: Suggestions for solution - command shell web interface ??
    ... I tried that one, but whilst I have only looked at using mozilla on my Sun as a browser, it kept locking up. ... The program I want to run and the web server both run on Solaris, so if a shell connection is emulated in a browser, that would solve it. ... You logged into the Sun, started a server going on some port, then a browser could connect to that port. ...
    (uk.net.web.authoring)
  • Re: end session when the browser window is closed.
    ... Sun ... "Eliyahu Goldin" wrote: ... >> I want to do clean up routine to my database when the browser is closed. ... >> Somehow I want to capture browser close event and fire session abandon ...
    (microsoft.public.dotnet.framework.aspnet)
Loading