Sun Java Security Issue with Javascript

Sun has let be known that the 1.4_05 version of their jre opens all
browsers using it to a possible exploit (Netscape, Mozilla, Firefox and IE
(if you have checked the box in Internet Options to use Sun Java).

See:

http://www.infoworld.com/article/04/...Nsunhot_1.html

and/or

http://isc.sans.org//diary.php?date=2004-11-23

Although Sun released the information, no reference to this issue seems to
exist on their own Sun or java.sun websites. (Maybe we didn't look hard
enough, though).

In a cruel twist of fate, Microsoft IE is not susceptible to the problem if
you use their Java VM (of course, one of the other IE vulnerabilities will
probably get you first anyway).

The reason that this is very serious is that there is no normal update
channel which prods users to patch their jre. Upgrading to the _06 is
pretty easy for most of us, but imagine the user who doesn't have any idea
as to how to change his/her browser from _05 or less to the _06 version
after the _06 is installed.

If this proves to result in a viable exploit, a little vendor support
(Debian,RedHat,Suse, Open/Free-bsd,etc or Sun themselves) is in order here
to get a plugin upgrade installer out there for whichever version of
browser they distribute. The latter will minimize damage to the reputation
of non-MS systems if this vuln spawns serious exploits.

The extent that malicious applets can access system functions is not clear
from the articles (assuming you don't browse as root, which I hope few if
any would do).

.... mungo

Mungo <reallydontmail@me.com> wrote in
news:Xns95AD670B64D36dontmailmecom@63.223.5.246:

> Sun has let be known that the 1.4_05 version of their jre opens all
> browsers using it to a possible exploit (Netscape, Mozilla, Firefox
> and IE (if you have checked the box in Internet Options to use Sun
> Java).

The original discovery ( with a benign example) was made by Marc
Schoenefeld (marc@illegalaccess.org) and the original disclosure letter is
at:

http://www.securityfocus.com/archive/1/341815

Upon examining it more carefully, it seems to fall in the same threat level
as the other browser cross-scripting vulns. May be an issue if you use your
browser for critical ( e.g., financial) things. More of an issue if either
using a browser with Windows or browsing as root with one of the unixes.

.... mungo

Mungo <reallydontmail@me.com> wrote in
news:Xns95AD795FF5B9Fdontmailmecom@63.223.5.251:

> Upon examining it more carefully, it seems to fall in the same threat
> level as the other browser cross-scripting vulns. May be an issue if
> you use your browser for critical ( e.g., financial) things. More of
> an issue if either using a browser with Windows or browsing as root
> with one of the unixes.
>

I was wrong. Not very trivial at all. See

http://www.internetnews.com/security...le.php/3439391

This has the potential to be pretty serious, particularly since a lot of
Mozilla/Firefox(and some windows) installations are using old j2sdk/jre
versions with java & javascript enabled. Quote from the latter article:

> While iDefense experts say the target user must be running a browser on
top of the JVM for the exploit to happen, it's possible to create a cross-
platform, cross-browser exploit that would give the attacker the same
privileges as the victim.


.... mungo