PCWorks: Sun Java Web Start JNLP File Processing Buffer Overflow

Thread: PCWorks: Sun Java Web Start JNLP File Processing Buffer Overflow

Search this list only Search all lists
PCWorks: Sun Java Web Start JNLP File Processing Buffer Overflow
Canada	2007-07-13 14:04:16
Sun Java Web Start JNLP File Processing Buffer Overflow Secunia Advisory: SA25981 Release Date: 2007-07-10 Last Update: 2007-07-11 Critical: Highly critical Impact: System access Where: From remote Solution Status: Vendor Patch Software: Java Web Start 1.x Sun Java JDK 1.5.x Sun Java JDK 1.6.x Sun Java JRE 1.5.x / 5.x Sun Java JRE 1.6.x / 6.x CVE reference: CVE-2007-3655 (Secunia mirror) Description: A vulnerability has been reported in Sun Java Web Start, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the Java Web Start component (javaws.exe) when processing JNLP files. This can be exploited to cause a stack-based buffer overflow via a specially crafted JNLP file with an overly long codebase attribute. Successful exploitation allows execution of arbitrary code e.g. when a user visits a malicious website. The vulnerability is reported in the following versions: * JRE and JDK 6 Update 1 and earlier * JRE and JDK 5 Update 11, and earlier Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable: http://secunia .com/software_inspector/ Solution: Apply updates. JRE/JDK 5 Update 12: h ttp://java.sun.com/javase/downloads/index_jdk5.jsp JRE/JDK 6 Update 2: http:/ /java.sun.com/javase/downloads/index.jsp Provided and/or discovered by: Daniel Soeder, eEye Digital Security The vendor also credits Brett Moore. Changelog: 2007-07-11: Added CVE reference. Updated "Title", "Description" and "Solution". Added JDK as affected product. Original Advisory: Sun: http://sunsolve.sun.com/search/document.do?asse tkey=1-26-102996-1 eEye: http://research.eeye.com/html/advisories/publi shed/AD20070705.html http://lists.grok.org.uk/pipermail/full- disclosure/2007-July/064552.html ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/r ules.htm Contact list owner <owner-pcworksimagicomm.com> Unsubscribing and other changes: http://pcworkers.com =====================================================

[1]

about | contact Other archives ( Real Estate discussion Medical topics )