10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.965 High
EPSS
Percentile
99.5%
Added: 10/15/2010
CVE: CVE-2010-3552
BID: 44023
Oracle Java SE and Java for Business are development platforms for developing and deploying Java applications. They include the Java SE Development Kit (JDK) and the Java Runtime Environment (JRE). The JRE provides the minimum requirements for executing a Java application and consists of the Java Virtual Machine (JVM), core classes and supporting files. The most common forms of web-based Java application are the Java applet and the Java Web Start (JWS) application. One of the components of the JRE is the Java Internet Explorer (IE) Browser plugin, which allows embedding an applet or JWS application into an HTML page using the object tag or the applet tag.
The Oracle Java IE Browser Plugin is vulnerable to a stack-based buffer overflow when launching a JWS application. A remote attacker cold gain system access by enticing a user to open a specially crafted web page in IE that embeds a JWS application using the launchjnlp
attribute and an overly long docbase
attribute.
Apply the patches detailed in the Oracle Java SE and Java for Business Critical Patch Update Advisory for October 2010.
<http://secunia.com/advisories/41791/>
<http://www.zerodayinitiative.com/advisories/ZDI-10-206/>
Exploit works on Oracle Java SE and Java for Business containing Oracle JRE 6 Update 21.
The user must open the exploit in Internet Explorer 6 or 7.
Windows