MS-ISAC ADVISORY NUMBER:
2009-048

DATE(S) ISSUED:
8/5/2009

SUBJECT:
Multiple Vulnerabilities in Sun Java Products Could Allow Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Sun Java Runtime Environment and the Sun Java Development Kit that could allow attackers to take complete control of a vulnerable system. Sun Java Runtime Environment and the Sun Java Development Kit are used to enhance the user experience when visiting web sites. These vulnerabilities may be exploited if a user visits a specifically crafted web page, or opens a specially crafted file. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

SYSTEMS AFFECTED:

  • JDK and JRE 6 Update 14 and prior
  • JDK and JRE 5.0 Update 19 and prior

RISK:
Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Six vulnerabilities have been discovered in the Sun Java Runtime Environment (JRE) and the Sun Java Development Kit (JDK) applications that could allow attackers to take complete control of a vulnerable system. Sun JRE allows a user to run Java applications, including web programs called applets, which are in use on many common websites. The Sun Java JDK is a development tool used to create Java Applications and applets.

Sun Java Runtime Environment Unpack200 JAR Unpacking Utility Integer Overflow Vulnerability
The Sun JRE is prone to an integer-overflow vulnerability. The issue arises when the 'Unpack200 JAR' utility handles specially-crafted packed applets and Java Web Start applications. Successful exploitation of this vulnerability may result in remote code execution.

Sun Java Runtime Environment JPEG Image Handling Integer Overflow Vulnerability
Sun JRE is prone to an integer-overflow vulnerability. This issue arises when the Java Runtime Environment handles a specially-crafted JPEG image. This vulnerability can be exploited if a user visits a specially crafted web-page, or opens a specially crafted JPEG image. Successful exploitation of this vulnerability may result in remote code execution.

Successful exploitation of the above two vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

Sun Java Runtime Environment Proxy Mechanism Implementation Privilege Escalation Vulnerabilities
Two vulnerabilities exist within the Sun JRE that could allow an untrusted applet or Java Web Start application to gain access to the active username or obtain browser cookies. Another vulnerability exists that may allow an untrusted applet or Java Web Start application to violate the same-origin policy and make unauthorized socket or URL connections to arbitrary hosts. These vulnerabilities can be exploited by a user visiting a webpage containing a malicious Java applet.

Sun Java Runtime Environment Audio System Privilege Escalation Vulnerability
The JRE audio system is vulnerable to a privilege escalation vulnerability. This vulnerability can be exploited by a user visiting a webpage containing a malicious Java applet. Successful exploits may allow attackers to access the 'java.lang.System' properties and perform actions with elevated privileges on affected computers.

Successful exploitation of the above two vulnerabilities may allow attackers to perform actions with elevated privileges, gain access to sensitive information, hijack sessions, and violate the same-origin policy.

Sun JRE/JDK Java Web Start ActiveX Control ATL Remote Code Execution Vulnerability
The Sun Java Web Start ActiveX Control is prone to a remote code execution vulnerability. This vulnerability may be exploited if a user visits a specially crafted web page. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the logged on user. This issue is caused by the vulnerabilities described in Microsoft security advisory 973883. Depending on the privileges associated with the user account, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

JNLPAppletLauncher Arbitrary File Creation Vulnerability
A vulnerability exists within Sun Java JNLPAppletLauncher. JNLPAppletLauncher is a JNLP-based class for deploying and launching applets that use extension libraries containing native code. The application is prone to a vulnerability that allows attackers to create arbitrary files on the vulnerable system when a user visits a malicious webpage. Successful exploitation of this vulnerability may aid in further attacks.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Sun to vulnerable systems immediately after appropriate testing.
  • To remediate the ATL vulnerability, apply appropriate patches provided by Microsoft in security advisory 973883 after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to download or open files from un-trusted websites.
  • Remind users not to open email attachments from unknown or un-trusted sources.
  • Configure email-clients to preview messages in plain-text format, rather than RTF or HTML format.

REFERENCES:

Sun:
http://java.sun.com/javase/downloads/index.jsp(New Window)
http://java.sun.com/javase/downloads/index_jdk5.jsp(New Window)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263490-1(New Window)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1(New Window)
http://blogs.sun.com/security/entry/advance_notification_of_security_updates5(New Window)
http://java.sun.com/javase/6/webnotes/6u15.html(New Window)

Secunia:
http://secunia.com/advisories/36159/(New Window)

Security Focus:
http://www.securityfocus.com/bid/35939(New Window)
http://www.securityfocus.com/bid/35942(New Window)
http://www.securityfocus.com/bid/35943(New Window)
http://www.securityfocus.com/bid/35944(New Window)
http://www.securityfocus.com/bid/35945(New Window)
http://www.securityfocus.com/bid/35946(New Window)

Microsoft:
http://www.microsoft.com/technet/security/advisory/973882.mspx(New Window)
http://www.microsoft.com/technet/security/Bulletin/MS09-035.mspx(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.