magmatic.com - Squawk Box - Java Runtime Environment in Mac OSX

MAAS History

Java Runtime Environment in Mac OSX

Tuesday, May 26, 2009 at 08:42PM

Java Runtime Environment in Mac OSX has vulnerabilities that Sun has released updates to. Apple will have to provide an update via Software Update for general users shortly, see references from a complete list from the Sun Solve site. The issues include privilege escalation, failure to check signatures, buffer overflows, parsing of Zip allowing reading of arbitrary memory and code from local system accessing the local host. The current test below will result in a bootstrap failure.

At this time users should disable Java, if however it is needed then only trusted sites' .class and JAR files should be run.

<<Note: Test site below is a link to test CVE-2008-5353, it will cause your system to crash. Currently Virus Barrier is detecting this security hole. It is not a live link, you are responsible, you have to cut and paste the link.>>

http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html

Update on Sunday, May 31, 2009 at 08:19AM by

drStrangeP0rk

Marc Schoenefeld has posted information on how to install a non-OSX java distribution and a link to a site with the exploit. Currently Virus Barrier detects and will put the virus into quarantine. You should of course delete the class files which all have the Java/Evasion.A virus.

http://www.illegalaccess.org/

Update on Tuesday, June 16, 2009 at 08:21AM by

drStrangeP0rk

Apple has released updates to the Java Platform released by Apple. Make sure to select update from Software Update to install these updates, they are critical. When installing the update make sure no applications that use Java are running before installing. This fixes many of the issues including preventing Java applets/applications from running and gaining elevated privileges.

http://support.apple.com/kb/HT3633

http://support.apple.com/kb/HT3632

drStrangeP0rk |

References (14)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Source: e Java Runtime Environment Creates Temporary Files That Have "Guessable" File Name

Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts May Allow Applets or Java Web Start Applications to Elevate Their Privileges
Source: Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts May Allow Applets or Java Web Start Applications to Elevate Their Privileges

Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts May Allow Applets or Java Web Start Applications to Elevate Their Privileges
Source: Multiple Security Vulnerabilities in Java Web Start and Java Plug-in May Allow Privilege Escalation

Multiple Security Vulnerabilities in Java Web Start and Java Plug-in May Allow Privilege Escalation
Source: The Java Runtime Environment (JRE) "Java Update" Mechanism Does Not Check the Digital Signature of the JRE that it Downloads

The Java Runtime Environment (JRE) "Java Update" Mechanism Does Not Check the Digital Signature of the JRE that it Downloads
Source: A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) May Allow Privileges to be Escalated

A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) May Allow Privileges to be Escalated
Source: A Security Vulnerability in the Java Runtime Environment (JRE) Related to Deserializing Calendar Objects May Allow Privileges to be Escalated

A Security Vulnerability in the Java Runtime Environment (JRE) Related to Deserializing Calendar Objects May Allow Privileges to be Escalated
Source: The Java Runtime Environment UTF-8 Decoder May Allow Multiple Representations of UTF-8 Input

The Java Runtime Environment UTF-8 Decoder May Allow Multiple Representations of UTF-8 Input
Source: Security Vulnerability in Java Runtime Environment May Allow Applets to List the Contents of the Current User's Home Directory

Security Vulnerability in Java Runtime Environment May Allow Applets to List the Contents of the Current User's Home Directory
Source: Security Vulnerability in the Java Runtime Environment With Processing RSA Public Keys

Security Vulnerability in the Java Runtime Environment With Processing RSA Public Keys
Source: A Security Vulnerability in Java Runtime Environment (JRE) With Authenticating Users Through Kerberos May Lead to a Denial of Service (DoS)

A Security Vulnerability in Java Runtime Environment (JRE) With Authenticating Users Through Kerberos May Lead to a Denial of Service (DoS)
Source: Security Vulnerabilities in the Java Runtime Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to be Escalated

Security Vulnerabilities in the Java Runtime Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to be Escalated
Source: A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations

A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations
Source: A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations

A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations
Source: A Security Vulnerability in the Java Runtime Environment may Allow Code Loaded From the Local Filesystem to Access LocalHost

A Security Vulnerability in the Java Runtime Environment may Allow Code Loaded From the Local Filesystem to Access LocalHost

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

magmatic.com by magmatic consulting is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Based on a work at http://magmatic.com.
Permissions beyond the scope of this license may be available at http://magmatic.com.