Another Oracle/Sun JRE warning - malicious JavaVM usage

Discussion in 'Computer Security' started by MEB, Apr 12, 2010.

  1. MEB

    MEB Guest

    April 9, 2010, 9:37AM
    Serious New Java Flaw Affects All Current Versions of Windows
    http://threatpost.com/en_us/O4v

    Java.exe and javaw.exe support undocumented/hidden command-line
    parameters which is/are easily used to perform malicious usage by
    loading an "alternative" JavaVM. These can be used to load already
    downloaded or forced downloads of malicious dlls or .so files. The
    vulnerability potentially exists in ALL OSs which use Oracle/Sun JAVA,
    and/or via browsers which do.

    http://java.sun.com/javase/technologies/desktop/javawebstart/index.jsp
    "Java Web Start Technology

    Using Java Web Start technology, standalone Java software applications
    can be deployed with a single click over the network. Java Web Start
    ensures the most current version of the application will be deployed, as
    well as the correct version of the Java Runtime Environment (JRE).
    Where Do You Get Java Web Start?

    Java Web Start is included in the Java Runtime Environment (JRE) as
    part of Java SE 6."


    ** The Windows Registry/Hive location for setting the killbit
    [work-around] for particular vulnerability in IE is:

    (watch out for the wrap)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}]
    "Compatibility Flags"=dword:00000400

    Once again using restrictive Zones and settings are also beneficial, as
    is using a web page script blocking application/pluggin, and/or other
    restrictions.

    ** Win9X/ME users should only be running 1.5.0{.22}[maximum], though the
    kill bit may/should be beneficial.

    http://java.sun.com/products/archive/
    apparently .21 is last listed here
    http://www.java.com/en/download/faq/win98_me.xml
    http://www.java.com/en/download/windows98me_manual.jsp
    version .22 is here

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 12, 2010
    #1
    1. Advertisements

  2. MEB

    Dan Guest

    Here is some more information about current Java vulnerabilities.

    http://isc.sans.org/diary.html?storyid=8608#comment
     
    Dan, Apr 13, 2010
    #2
    1. Advertisements

  3. MEB

    MEB Guest

    There is a "business" 5.0.24 [and 4.0.26] version [Win9X/ME/NT] in
    addition to the below out of band Java update. These attempt to address
    "part of" the problems.

    http://java.sun.com/javase/6/webnotes/6u20.html

    Deploying Java Applets With Family JRE Versions in Java Plug-in for
    Internet Explorer
    http://java.sun.com/javase/6/webnotes/family-clsid.html

    http://java.com/en/download/manual.jsp

    NOTE: Linux, Solaris, and Windows versions are available. MAC users
    should check for updates [yes there were MAC versions of the hacks].

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 15, 2010
    #3
  4. MEB

    98 Guy Guest

    This exploit does not function on win-98 with JRE 5.x.

    A proof-of-concept exacmple can be found here:

    http://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html

    Clicking on that page with a vulnerable combination of Windows and Java
    JRE should launch the calculator application (calc.exe).

    On my win-98 system, while running Firefox 2.0.0.20 and with JRE version
    5 update 22, firefox displays a message at the top of the browser
    window, telling me that "Additional plugins are required to display all
    the media on this page". The calc application does not launch.
     
    98 Guy, Apr 16, 2010
    #4
  5. MEB

    MEB Guest

    Numbnuts, look around for the OTHER hacks that are for Win98...

    --
    MEB
    http://peoplescounsel.org/ref/windows-main.htm
    Windows Info, Diagnostics, Security, Networking
    http://peoplescounsel.org
    The "real world" of Law, Justice, and Government
    ___---
     
    MEB, Apr 16, 2010
    #5
  6. MEB

    Dan Guest

    Meb, I ended up having to completely remove Java and then download the
    latest Java Runtime in order to remove old remnants of Java 6 update 19. The
    Java Deployment Toolkit older version was still there when I just updated
    from Java 6 update 19 to Java 6 update 20 in Windows XP Pro. in Mozilla
    Firefox. I dual-boot with 98 SE and XP Pro. on 2 hard drives.

    <98 general newsgroup removed still not relevant in this post>
     
    Dan, Apr 22, 2010
    #6
  7. MEB

    alexborow

    Joined:
    Nov 25, 2010
    Messages:
    5
    Likes Received:
    0
    It is one of the latest technology for these you have to download many of the latest version in all these there are so many things which is great to know about it.
     
    alexborow, Nov 25, 2010
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.