MS-ISAC Advisory #2008-038 (12/04/2008) - Multiple Vulnerabilities in Sun Java Web Start and Java Plug-in -

MS-ISAC ADVISORY NUMBER:
2008-038

DATE(S) ISSUED:
12/04/2008

SUBJECT:
Multiple Vulnerabilities in Sun Java Web Start and Java Plug-in

OVERVIEW:

Multiple vulnerabilities have been discovered in the Sun Java Web Start and Java Plug-in that could allow a remote attacker to take control of a vulnerable system. Sun Java Web Start is a tool in the Java Runtime Environment (JRE) common to virtually all desktop environments. JRE allows java applications to launch either from a desktop or within a web page. These vulnerabilities can be exploited when a user visits a web site that contains a malicious script code. Successful exploitation may allow attackers to access sensitive information, bypass security restrictions, or read, write and execute arbitrary files with the same rights as the logged on user.

Sun Microsystems released patches which addresses these vulnerabilities.

SYSTEMS AFFECTED:

Sun JDK and Sun JRE 6 Update 10 and earlier
Sun JDK and Sun JRE 5.0 Update 16 and earlier
Sun SDK and Sun JRE 1.4.2_18 and earlier
Sun SDK and Sun JRE 1.3.1_23 and earlier

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Multiple security vulnerabilities have been identified in the Sun Java Web Start and Java Plug-in. These vulnerabilities can be exploited when a user visits a web site that contains a specially-crafted and malicious Java Script code or Java applet.

Successful exploits may allow attackers to disclose sensitive information, bypass security, or read, write and execute arbitrary files with the same rights as the user.

The following is the list of reported vulnerabilities:

One vulnerability allows an attacker to connect to hosts other than the initial host that downloaded the application
Four Information-disclosure vulnerabilities which may allow an attacker to gather sensitive information
Four vulnerabilities which could allow an attacker to bypass security polices
One vulnerability that allows hidden code to hijack HTTP session cookies
One vulnerability that allows for read, write, execute permissions
One vulnerability that allow for JRE to create temporary files in an insecure manner
Three vulnerabilities which allow for a buffer overflow handling
Two vulnerabilities which allow for privileged escalation
One vulnerability for UNICODE Transformation Format
Two denial-of-service vulnerabilities (Kerberos) & (RSA public keys)

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches provided by Sun Microsystems to vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
Do not visit unknown or un-trusted Web sites or click on links provided in an email.
Do not open email attachments from unknown or un-trusted sources.

REFERENCES:

Security Focus:
http://www.securityfocus.com/bid/32620
http://www.securityfocus.com/bid/32608

Secunia:
http://secunia.com/advisories/32991/

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=757

This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.

MS-ISAC

Multi-State Information Sharing and Analysis Center

Alert Level: