A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.
Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.
The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.
thanks.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Logos wrote:OK, this means also when Java is allowed to run (even just temporarily by the user) I suppose, NS will intercept the attack...
Yes it does, provided that other plugins are disabled by NoScript.
This means that in default configuration you must not whitelist the malicious site hosting the exploit.
However, if NoScript Options|Advanced|Apply these restrictions to whitelisted sites as well is checked (my own configuration, recommended for total-lock down) you're protected even if you accidentally whitelist attacker's site.
The vulnerable plugin here is Java Deployment Toolkit, whose purpose is to trigger local installations of Java runtimes and apps. This functionality is about as useful and sensible as the ability to run local executables from PDFs. It's probably a good idea to disable this plugin altogether.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
al_9x wrote:The vulnerable plugin here is Java Deployment Toolkit, whose purpose is to trigger local installations of Java runtimes and apps. This functionality is about as useful and sensible as the ability to run local executables from PDFs. It's probably a good idea to disable this plugin altogether.
I have (disabled the plugins), yesterday already, in IE, Chrome and FF. But thanks for the feedback ...I still wanted to know about NS protection potential.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.7 Safari/533.4
Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ). Not sure if this update solves the security flaw.
edit: warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.7 Safari/533.4
Logos wrote:Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ). Not sure if this update solves the security flaw.
edit: warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).
After being disabled by Mozilla last week, the Java Deployment Toolkit somehow must have re-enabled itself as I just got the same message again today. I wish I could block this crap from being installed on my computer in the first place, I dont believe I need it so why should it be forced upon me, especially when it is prone to security issues.
Anyway as for Java Runtime Update. This tool appears to be good for getting rid of old and redundant versions of Java http://sourceforge.net/projects/javara/
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)
Since some versions now, the JRE install itself into "%Program Files%\Java\jre6" so it should always overwrite the previous version.
On the other hand, the JDK versions are to be installed side-by-side per design.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a5pre) Gecko/20100419 Firefox/3.7