NS and (Sun) Java current vulnerability

General discussion about the NoScript extension for Firefox
Post Reply
Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

NS and (Sun) Java current vulnerability

Post by Logos » Wed Apr 14, 2010 3:51 pm

just a question guys: would NS protect against that:
Secunia Advisory SA39260

http://secunia.com/advisories/39260

A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.

Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.


thanks.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

User avatar
Giorgio Maone
Site Admin
Posts: 9000
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NS and (Sun) Java current vulnerability

Post by Giorgio Maone » Wed Apr 14, 2010 3:57 pm

Logos wrote: would NS protect against that:
Secunia Advisory SA39260

http://secunia.com/advisories/39260

Yes it does.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

Re: NS and (Sun) Java current vulnerability

Post by Logos » Thu Apr 15, 2010 8:52 am

OK, this means also when Java is allowed to run (even just temporarily by the user) I suppose, NS will intercept the attack...
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.3 Safari/533.4

User avatar
Giorgio Maone
Site Admin
Posts: 9000
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NS and (Sun) Java current vulnerability

Post by Giorgio Maone » Thu Apr 15, 2010 9:17 am

Logos wrote:OK, this means also when Java is allowed to run (even just temporarily by the user) I suppose, NS will intercept the attack...

Yes it does, provided that other plugins are disabled by NoScript.
This means that in default configuration you must not whitelist the malicious site hosting the exploit.
However, if NoScript Options|Advanced|Apply these restrictions to whitelisted sites as well is checked (my own configuration, recommended for total-lock down) you're protected even if you accidentally whitelist attacker's site.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

Re: NS and (Sun) Java current vulnerability

Post by Logos » Thu Apr 15, 2010 9:31 am

OK, thank you very much for these precisions ;)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.3 Safari/533.4

al_9x
Master Bug Buster
Posts: 931
Joined: Thu Mar 19, 2009 4:52 pm

Re: NS and (Sun) Java current vulnerability

Post by al_9x » Thu Apr 15, 2010 10:14 am

The vulnerable plugin here is Java Deployment Toolkit, whose purpose is to trigger local installations of Java runtimes and apps. This functionality is about as useful and sensible as the ability to run local executables from PDFs. It's probably a good idea to disable this plugin altogether.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

Re: NS and (Sun) Java current vulnerability

Post by Logos » Thu Apr 15, 2010 11:17 am

al_9x wrote:The vulnerable plugin here is Java Deployment Toolkit, whose purpose is to trigger local installations of Java runtimes and apps. This functionality is about as useful and sensible as the ability to run local executables from PDFs. It's probably a good idea to disable this plugin altogether.


I have (disabled the plugins), yesterday already, in IE, Chrome and FF. But thanks for the feedback ;) ...I still wanted to know about NS protection potential.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.7 Safari/533.4

Logos
Junior Member
Posts: 43
Joined: Wed Oct 28, 2009 5:11 pm

Re: NS and (Sun) Java current vulnerability

Post by Logos » Thu Apr 15, 2010 12:20 pm

Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ). Not sure if this update solves the security flaw.

download here: http://www.java.com/en/ but again, better off with the integrated updater.

edit: warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.7 Safari/533.4

eradic8
Senior Member
Posts: 67
Joined: Wed Aug 26, 2009 11:43 am

Re: NS and (Sun) Java current vulnerability

Post by eradic8 » Tue Apr 20, 2010 12:01 pm

Logos wrote:Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ). Not sure if this update solves the security flaw.

download here: http://www.java.com/en/ but again, better off with the integrated updater.

edit: warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).



After being disabled by Mozilla last week, the Java Deployment Toolkit somehow must have re-enabled itself as I just got the same message again today. I wish I could block this crap from being installed on my computer in the first place, I dont believe I need it so why should it be forced upon me, especially when it is prone to security issues.
Anyway as for Java Runtime Update. This tool appears to be good for getting rid of old and redundant versions of Java http://sourceforge.net/projects/javara/
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: NS and (Sun) Java current vulnerability

Post by dhouwn » Tue Apr 20, 2010 4:11 pm

Since some versions now, the JRE install itself into "%Program Files%\Java\jre6" so it should always overwrite the previous version.
On the other hand, the JDK versions are to be installed side-by-side per design.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a5pre) Gecko/20100419 Firefox/3.7

Post Reply