Sun Java WebStart stack buffer overflow

Overview

Sun Java WebStart contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Sun Java WebStart is a technology for launching stand-alone Java applications. On Microsoft Windows systems, Java WebStart is provided by the program javaws.exe, which is included with the Sun Java Runtime Environment (JRE). Java WebStart operates by processing a JNLP file, which is an XML document that contains information about the Java application to execute. The Sun JRE installer configures Internet Explorer and Netscape Navigator to automatically open JNLP files without any user interaction.

Java WebStart contains a stack buffer overflow in the handling of JNLP files. This vulnerability can be exploited to execute arbitrary code as the result of opening a specially-crafted JNLP file, which can occur as the result of viewing a malicious web site. We have received reports that this vulnerability is being actively exploited.

---

Impact

By convincing a user to open a specially-crafted JNLP file, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This may occur as the result of viewing a specially-crafted web page.

---

Solution

Apply an update
This issue is addressed in the following Java versions:

* JDK and JRE 6 Update 5
* JDK and JRE 5.0 Update 15
* SDK and JRE 1.4.2_17

Please see Sun Alert 233327 for more details and additional workarounds.

Delete the Windows file association for JNLP files
The file association for JNLP files on windows systems can be removed by deleting the following registry keys:
HKLM\Software\Classes\.jnlp
HKLM\Software\Classes\MIME\Database\Content Type\application/x-java-jnlp-file
HKLM\Software\Classes\JNLPfile
Disable the Java WebStart ActiveX control in Internet Explorer
The Java WebStart ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{5852F5ED-8BF4-11D4-A245-0080C6F74284}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}]
"Compatibility Flags"=dword:00000400

---

Vendor Information

223028

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Sun Microsystems, Inc. __ Affected

Notified: February 01, 2008 Updated: March 06, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in the following Java versions:

  * JDK and JRE 6 Update 5
  * JDK and JRE 5.0 Update 15
  * SDK and JRE 1.4.2_17

Please see Sun Alert for more details and additional workarounds.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23223028 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233327-1&gt;
• <http://java.sun.com/products/javawebstart/&gt;
• <http://support.microsoft.com/kb/240797&gt;

Acknowledgements

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2008-1196
Severity Metric:	27.70 Date Public: