Vulnerability Development mailing list archives
Re: Java - JRE, SDK Java Web Start
From: jfvanmeter () comcast net
Date: Wed, 18 Jul 2007 21:06:59 +0000
Hello Sapa3a, so if I wrote called that would place a called down c:\program files\myprogram\jre\1.5.0_09 and then convinced a user to run in it "Internet Explorer" or possible Outlook, or just good old "Windows" you don't think I could exploit a vulnerability in that version? I know with the Sun Java Web Start vulnerability there are several workaround if you can't update to the newest version of jre To work around this vulnerability, if you are not actively using Java WebStart, remove the .jnlp content type association in your registry: - HKLM:Software\Classes\.jnlp - HKLM:Software\Classes\JNLPfile - HKLM:Sofrware\Classes\MIME\Database\Content Type\application/x-java-jnlp-file By deleting these registry keys, Java WebStart will no longer be used to open .jnlp files, thereby mitigation this vulnerability. Other work abounds - Disable Java Web Start applications from being launched from a web browser: Internet Explorer: Right click on the "Start" button and select "Explore" In the "Start Menu" window, select "Tools" => "Folder Options"
From the "Folder Options" window, select the "File Types" tab From the "Registered File Types" window, scroll down and locate the
"JNLP - JNLP File" Select the "JNLP - JNLP File" and click the "Delete" button - On Windows, applications may also be launched from the desktop icon or from the "Start" menu if a shortcut was previously created for an application. Unknown applications should not be launched through the desktop icon or the Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove Shortcut" menu item. For more information, see: http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/overview.html - It is also possible to launch applications through the command line in Windows. Unknown applications should not be launched through the command line. Sites may consider renaming the Java Web Start launcher ("javaws.exe" for Windows) to prevent Java Web Start from launching. The launcher can be found at C:\Program Files\java\j2re1.5.0\javaws\javaws.exe (or down my path c:\program files\myprogram\jre\1.5.0_09\javaws.exe) Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability Patch Information http://www.securityfocus.com/archive/1/archive/1/473224/100/0/threaded Security Focus - http://www.securityfocus.com/bid/24832 So I think JRE can be exploited directly on a "WINDOWS" system Best Regards --John -------------- Original message ---------------------- From: 3APA3A <3APA3A () SECURITY NNOV RU>
Dear jfvanmeter () comcast net, Vulnerability in JRE itself can not be exploited directly. It can only be exploited through some JAVA-enabled application, browser in most cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in JRE can only be exploited in case vulnerability is in in some function used with remote user-supplied arguments. It's rare enough case for Java. In this case, I believe, Cisco (or write any different vendor here) should issue an update for it's software. It's not necessary for Cisco to update software every time JRE is updated, if vulnerability doesn't affect Cisco product installation. --Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-dev () securityfocus com: jcn> How does everyone feel about java being installed by vendors jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\ jcn> and never patching it. jcn> I ran an enterprise scan to looking for javaws.exe and found jcn> it in 175 unique paths. Should they be held accountable for the jcn> patching of java when they install it? jcn> I had one vendor who installed java 1.3 and 1.4, and when I jcn> ask them about it. There statement was you dont have the modules jcn> that require those versions you can just delete them jcn> How does everyone patch Java that is not installed in its default location? -- ~/ZARAZA http://securityvulns.com/
Current thread:
- Java - JRE, SDK Java Web Start jfvanmeter (Jul 17)
- Re: Java - JRE, SDK Java Web Start Kish Pent (Jul 17)
- Re: Java - JRE, SDK Java Web Start Blue Boar (Jul 17)
- Re: Java - JRE, SDK Java Web Start 3APA3A (Jul 18)
- <Possible follow-ups>
- Re: Java - JRE, SDK Java Web Start jfvanmeter (Jul 18)