Oracle Sun Java fails to properly validate Java applet signatures

Overview

Oracle Sun Java fails to properly validate Java applet signatures, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Signed Java applets have the ability to perform actions outside of the traditional Java sandbox, including local filesystem access or the ability to execute native code. When a user encounters a signed Java applet in a web page, the JRE will provide a dialog asking the user if they wish to run the application. The default for this dialog is “Always trust content from this publisher.” This means that once a signed Java applet is executed, all applets that are determined to be signed by that vendor will execute without requiring any user interaction. Please see the CERT Vulnerability Analysis Blog for more details.

Oracle Sun Java contains a critical flaw in the validation of Java applet signatures. This vulnerability can allow an attacker to modify the contents of a signed Java applet without breaking the signature. The Oracle Critical Patch Update lists the following versions as being affected:
Java SE:

* JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux
* JDK 5.0 Update 23 and earlier for Solaris
* SDK 1.4.2_25 and earlier for Solaris

Java for Business:

* JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux
* JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux
* SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux  

---

Impact

By convincing a user to execute a signed Java applet, e.g. by visiting a website, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

---

Solution

Apply an updateThis issue has been addressed by the Java updates specified in the Oracle Java Critical Patch Update - March 2010 document.

---

Disable Java

This and other Java vulnerabilities can be mitigated by disabling Java support in your web browser. Details are available in the Securing Your Web Browser document.

Disable signed Java

Details for disabling signed Java are available in the CERT Vulnerability Analysis Blog entry Signed Java Applet Security: Worse than ActiveX?.

---

Vendor Information

507652

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Oracle Corporation __ Affected

Updated: April 02, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

This issue has been addressed by the Java updates specified in the Oracle Java Critical Patch Update - March 2010 document.

Vendor References

• <http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html#PIN&gt;

Sun Microsystems, Inc. __ Affected

Notified: October 22, 2008 Updated: April 02, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

This issue has been addressed by the Java updates specified in the Oracle Java Critical Patch Update - March 2010 document.

Vendor References

• <http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html&gt;

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html&gt;
• <http://java.sun.com/javase/6/docs/technotes/guides/jweb/mixed_code.html&gt;
• <http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html&gt;
• <http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc1.html#18313&gt;

Acknowledgements

Thanks to Brian Bjerre Graversen of Signaturgruppen for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2010-0087
Severity Metric:	27.34 Date Public: