Page 1 of 1
NS and (Sun) Java current vulnerability
Posted: Wed Apr 14, 2010 3:51 pm
by Logos
just a question guys: would NS protect against that:
Secunia Advisory SA39260
http://secunia.com/advisories/39260
A vulnerability has been discovered in Sun Java, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input sanitation error in the Java Deployment Toolkit browser plugin. This can be exploited to pass arbitrary arguments to javaw.exe and e.g. execute a JAR file placed on a network share in a privileged context.
Successful exploitation allows execution of arbitrary code by tricking a user into visiting a malicious web page.
The vulnerability is confirmed in JRE version 6 Update 19. Other versions may also be affected.
thanks.
Re: NS and (Sun) Java current vulnerability
Posted: Wed Apr 14, 2010 3:57 pm
by Giorgio Maone
Re: NS and (Sun) Java current vulnerability
Posted: Thu Apr 15, 2010 8:52 am
by Logos
OK, this means also when Java is allowed to run (even just temporarily by the user) I suppose, NS will intercept the attack...
Re: NS and (Sun) Java current vulnerability
Posted: Thu Apr 15, 2010 9:17 am
by Giorgio Maone
Logos wrote:OK, this means also when Java is allowed to run (even just temporarily by the user) I suppose, NS will intercept the attack...
Yes it does, provided that other plugins are disabled by NoScript.
This means that in default configuration you must not whitelist the malicious site hosting the exploit.
However, if
NoScript Options|Advanced|Apply these restrictions to whitelisted sites as well is checked (my own configuration, recommended for total-lock down) you're protected even if you accidentally whitelist attacker's site.
Re: NS and (Sun) Java current vulnerability
Posted: Thu Apr 15, 2010 9:31 am
by Logos
OK, thank you very much for these precisions
Re: NS and (Sun) Java current vulnerability
Posted: Thu Apr 15, 2010 10:14 am
by al_9x
The vulnerable plugin here is Java Deployment Toolkit, whose purpose is to trigger local installations of Java runtimes and apps. This functionality is about as useful and sensible as the ability to
run local executables from PDFs. It's probably a good idea to disable this plugin altogether.
Re: NS and (Sun) Java current vulnerability
Posted: Thu Apr 15, 2010 11:17 am
by Logos
al_9x wrote:The vulnerable plugin here is Java Deployment Toolkit, whose purpose is to trigger local installations of Java runtimes and apps. This functionality is about as useful and sensible as the ability to
run local executables from PDFs. It's probably a good idea to disable this plugin altogether.
I have (disabled the plugins), yesterday already, in IE, Chrome and FF. But thanks for the feedback
...I still wanted to know about NS protection potential.
Re: NS and (Sun) Java current vulnerability
Posted: Thu Apr 15, 2010 12:20 pm
by Logos
Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ). Not sure if this update solves the security flaw.
download here:
http://www.java.com/en/ but again, better off with the integrated updater.
edit: warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).
Re: NS and (Sun) Java current vulnerability
Posted: Tue Apr 20, 2010 12:01 pm
by eradic8
Logos wrote:Java 1.6 update 20 is available >>> update from the control panel applet, otherwise that won't remove the 19 version (many java versions can be installed at the same time ). Not sure if this update solves the security flaw.
download here:
http://www.java.com/en/ but again, better off with the integrated updater.
edit: warning: I just found that update 19 plugins were still present in all browsers after the update to "20" >>> way out: remove Java completely and reinstall from scratch with the download (yeah, that's the opposite of what I said before).
After being disabled by Mozilla last week, the Java Deployment Toolkit somehow must have re-enabled itself as I just got the same message again today. I wish I could block this crap from being installed on my computer in the first place, I dont believe I need it so why should it be forced upon me, especially when it is prone to security issues.
Anyway as for Java Runtime Update. This tool appears to be good for getting rid of old and redundant versions of Java
http://sourceforge.net/projects/javara/
Re: NS and (Sun) Java current vulnerability
Posted: Tue Apr 20, 2010 4:11 pm
by dhouwn
Since some versions now, the JRE install itself into "%Program Files%\Java\jre6" so it should always overwrite the previous version.
On the other hand, the JDK versions are to be installed side-by-side per design.