CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.2%
Added: 11/27/2009
CVE: CVE-2009-3869
BID: 36881
OSVDB: 59710
Java Runtime Environment (JRE) allows end users to run Java applications.
A buffer overflow vulnerability in the setDiffICM function of the Abstract Window Toolkit (AWT) allows command execution when a user loads a specially crafted web page.
Apply the update referenced in Sun article 270474.
<http://www.zerodayinitiative.com/advisories/ZDI-09-078/>
Exploit works on Java Runtime Environment 6 Update 16 and requires a user to open the exploit page in Firefox 2.0.x.
In order for the exploit to succeed, the security policy in JRE must allow access to classes in the sun.awt.image package. To configure JRE to allow access to classes in the sun.awt.image package, add the following lines to the Java policy file on the target system:
>
> grant {
> permission java.lang.RuntimePermission
> “accessClassInPackage.sun.awt.image”;
> }
>
The Java policy file can be found at:
>
> C:\Program Files\Java\jreX\lib\security\java.policy
>
where X is the JRE series, such as 5 or 6.
Windows