| Home | Log In | Register | Our Services | My Account | Contact | Help |
You are NOT currently logged in
TullettJ (MoneyAM)
- 27 Nov 2004 07:56
Hello,
Over the last few days it has come to light that there is a critical vulnerability within the Sun java JVM(not MSJAVA). It is exploitable through some simple javascript that any malicious website can serve up.
The following is copied from the BugTrack mailing list:
Sun Java Plugin arbitrary package access vulnerability
OVERVIEW
========
Sun Microsystem's Java Plugin connects the Java technology to web
browsers and allows the use of Java Applets. Java Plugin technology is
available for numerous platforms and supports major web browsers.
A vulnerability in Java Plugin allows an attacker to create an Applet
which can disable Java's security restrictions and break out of the
Java sandbox. The attack can be launched when a victim views a web page
created by the attacker. Further user interaction is not required as
Java Applets are normally loaded and started automatically.
Such Applet can then take any action which the user could: browse,
read, or modify files, upload more programs to the victim system and
run them, or send out data from the system. Java is a cross-platform
language so the same exploit could run on various OS'es and
architectures.
VULNERABLE VERSIONS
===================
The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows
and Linux. Web browsers tested were Microsoft Internet Explorer,
Mozilla Firefox and Opera. It should be noted that Opera uses a
different way of connecting JavaScript and Java which caused the test
exploit not to work on Opera. However the problem itself (access to
private packages) was demonstrated on Opera too, so it may be
vulnerable to a variation of the exploit.
SOLUTION
========
Sun Microsystems was informed on April 29, 2004 and has fixed the
problem in J2SE 1.4.2_06, available at
http://java.sun.com/j2se/1.4.2/download.html
CREDITS
=======
The vulnerability was discovered and researched by Jouko Pynnonen,
Finland.
Over the last few days it has come to light that there is a critical vulnerability within the Sun java JVM(not MSJAVA). It is exploitable through some simple javascript that any malicious website can serve up.
The following is copied from the BugTrack mailing list:
Sun Java Plugin arbitrary package access vulnerability
OVERVIEW
========
Sun Microsystem's Java Plugin connects the Java technology to web
browsers and allows the use of Java Applets. Java Plugin technology is
available for numerous platforms and supports major web browsers.
A vulnerability in Java Plugin allows an attacker to create an Applet
which can disable Java's security restrictions and break out of the
Java sandbox. The attack can be launched when a victim views a web page
created by the attacker. Further user interaction is not required as
Java Applets are normally loaded and started automatically.
Such Applet can then take any action which the user could: browse,
read, or modify files, upload more programs to the victim system and
run them, or send out data from the system. Java is a cross-platform
language so the same exploit could run on various OS'es and
architectures.
VULNERABLE VERSIONS
===================
The Java Plugin versions 1.4.2_04 and 1.4.2_05 were tested on Windows
and Linux. Web browsers tested were Microsoft Internet Explorer,
Mozilla Firefox and Opera. It should be noted that Opera uses a
different way of connecting JavaScript and Java which caused the test
exploit not to work on Opera. However the problem itself (access to
private packages) was demonstrated on Opera too, so it may be
vulnerable to a variation of the exploit.
SOLUTION
========
Sun Microsystems was informed on April 29, 2004 and has fixed the
problem in J2SE 1.4.2_06, available at
http://java.sun.com/j2se/1.4.2/download.html
CREDITS
=======
The vulnerability was discovered and researched by Jouko Pynnonen,
Finland.
TullettJ (MoneyAM)
- 27 Nov 2004 07:58
- 2 of 18
If you are interesting in finding out how secure your browser is (with regards to fixes that you have applied and what have you), then please go here:
http://bcheck.scanit.be/bcheck/
Please read their instructions carefully before starting the tests.
J.
http://bcheck.scanit.be/bcheck/
Please read their instructions carefully before starting the tests.
J.
optomistic
- 27 Nov 2004 11:34
- 3 of 18
Ian I have version 1.4.2_05 I have selected upgrade on Java control panel, Says I have the latest version available. Where does version 06 fit in the list plese? It sounds like it should supercede version 05 but it appears that it is not the case according to Java.
opto
opto
TullettJ (MoneyAM)
- 27 Nov 2004 11:45
- 4 of 18
optomistic,
Have you clicked on the link I posted above?
J.
Have you clicked on the link I posted above?
J.
optomistic
- 27 Nov 2004 11:51
- 5 of 18
Have done, not sure which to download
optomistic
- 27 Nov 2004 12:33
- 6 of 18
That took some sorting, showing browser is now secure with no vulnerabilities. Previously showed high risk vul...
thank you J
thank you J
stockbunny
- 28 Nov 2004 10:18
- 7 of 18
Err Help!
I've followed the link and there's several potential downloads here..
don't know which one I'm supposed to choose...
I've followed the link and there's several potential downloads here..
don't know which one I'm supposed to choose...
emailpat
- 28 Nov 2004 11:58
- 8 of 18
Tried twice to d/load but I haven't got enough virtual memory(I knew I was going senile)help!!!
optomistic
- 28 Nov 2004 12:21
- 9 of 18
emailpat, check to see if your PC has allocated the correct paging file size. Recommended 718 mgbites for XP. Don't know about the other systems. Access to info through control panel..click on system. You will find it in there.
aldwickk
- 28 Nov 2004 15:26
- 10 of 18
I have version 06 and done a browser check which turned out O K , what is the full check option ?
MightyMicro
- 28 Nov 2004 15:38
- 11 of 18
stockbunny:
Try http://www.java.com/en/download/manual.jsp
and select the Windows Download button (the first one).
Try http://www.java.com/en/download/manual.jsp
and select the Windows Download button (the first one).
emailpat
- 28 Nov 2004 21:44
- 12 of 18
optomistic- TKS
stockbunny
- 29 Nov 2004 14:59
- 13 of 18
Thanks MightyMicro & Opto - still having fun with this..LOL!
IanT(MoneyAM)
- 01 Dec 2004 16:09
- 14 of 18
PLease note that some of you will be using Microsoft VM, and not Java so this in which case this would not be applicable to you.
To check to see if you are running NM or Java, go to tools at the top of your screen, and click on internet options and then advanced - in the long list you will see either of these or both and the one which you are using will be ticked.
Thanks
Ian
To check to see if you are running NM or Java, go to tools at the top of your screen, and click on internet options and then advanced - in the long list you will see either of these or both and the one which you are using will be ticked.
Thanks
Ian
stockbunny
- 01 Dec 2004 16:10
- 15 of 18
Cheers Ian!
Priscilla
- 01 Dec 2004 16:21
- 16 of 18
Following your post 13, Ian, I have Microsoft VM with the 'JIT compiler for virtual machine enabled' ticked. Does this mean I can stop worrying about this thingy then?
IanT(MoneyAM)
- 01 Dec 2004 16:22
- 17 of 18
Priscilla - exactly - just majke sure you keep your windows updates up to date as it were :)
Ian
Ian
Priscilla
- 01 Dec 2004 16:26
- 18 of 18
Thanks, Ian!! Yippeeeee!
- Page:
- 1
| About MoneyAM | Ts and Cs | Privacy Policy | Investment Warning | Content Standards | Corporate Solutions | Advertise With Us | Site Map | © 2025 MoneyAM |
Register now for FREE
Share Prices,
Stock Quotes,
Charts, Bulletin Boards, Indices, Watchlists, Portfolio, Market News, Research
or see our Premium Services including Level 2, Terminal and much more.
Follow us on Twitter