Java Runtime CMM readMabCurveData Buffer Overflow

2010-10-04T00:00:00
ID SAINT:6D316B6935F5268E947FC74FC2C65EBC
Type saint
Reporter SAINT Corporation
Modified 2010-10-04T00:00:00

Description

Added: 10/04/2010
CVE: CVE-2010-0838
BID: 39069
OSVDB: 63500

Background

Oracle Java SE and Java for Business are development platforms for developing and deploying Java applications. They include the Java SE Development Kit (JDK) and the Java Runtime Environment (JRE). The JRE provides the minimum requirements for executing a Java application (e.g., an applet) and consists of the Java Virtual Machine (JVM), core classes and supporting files. One of the libraries included in the JVM is the Color Management Module (CMM), which controls the conversion among the color representations used by various devices by processing International Color Consortium (ICC) profiles.

Problem

Oracle Java SE and Java for Business 6 Update 18 and prior, and 5.0 Update 23 and prior are vulnerable to a buffer overflow in the CMM readMabCurveData function. A remote attacker could gain system access if a user opens a Java applet that imports a malicious ICC profile that specifies an invalid count for curveType objects passed to the readMabCurveData function.

Resolution

Apply the patches detailed in the Oracle Java SE and Java for Business Critical Patch Update Advisory for March 2010.

References

<http://www.zerodayinitiative.com/advisories/ZDI-10-061/>

Limitations

Exploit works on Oracle Java SE and Java for Business containing Oracle JRE 6 Update 18.

The user must open the exploit in Internet Explorer 6, 7, or 8 or Mozilla Firefox 2.x or 3.x.

Platforms

Windows