| |
 |
 |
 |
|
|
|
|
Date: 20 July 2007
Click here for printable version
Last week I was asked about the AusCERT Alert AL-2007.0071 by ZDNet, which was used in the article Dangerous Java flaw threatens virtually everything, which subsequently made it to Slashdot. In typical Slashdot style, the discussion missed the point (and mis-attributed some quotes) and rapidly degenerated into a flame war.
I'd like to take this opportunity to clarify exactly what I said in the email interview with Liam Tung of ZDNet Australia. Looking back on this I neglected to point out that while most organisations roll out software patches in a timely manner, many are still forced to run older versions of the JRE in order to support their Java applications. Anyway, here is the interview:
Liam Tung: How dangerous is this?
Robert Lowe: The advisory from Sun covers two vulnerabilities, the most serious of which may allow for a Java applet or application to trigger a buffer overflow during the processing of JPG and BMP image files.
The researcher who discovered this vulnerability has confirmed that it is capable of crashing the Java Virtual Machine and surmises that this may be extended to execute code. AusCERT is not aware of further reports or proof of concept code which confirms the execution of code.
Liam Tung: What can it be used for?
Robert Lowe: Assuming this vulnerability may be exploited to execute arbitrary code as the user running the virtual machine, similar vulnerabilities have been used in the past to install malicious software via malicious web pages.
Delivery of exploits in this manner is attractive to attackers because it even though the browser may be fully patched, some people neglect to also patch programs invoked by browsers to render specific types of content. Also, this exploit is browser independent, as long as it invokes a vulnerable Java Runtime Environment.
There is also potential for the exploitation of server software written in Java. However, you would have to be able to send such software a specially crafted image and have it processed by the server to potentially execute code.
Liam Tung: Who is at risk?
Robert Lowe: Anyone using the Java Runtime Environment or Java Development Kit. Some home users would probably have a vulnerable version of the JRE installed and may not know they are vulnerable. Some corporate desktop systems would be using the JRE for corporate applications, however, many such organisations automate patch deployment and lock down browsers to make the successful exploitation of this vulnerability more difficult. As I described above, server applications may also be vulnerable but administrators of web applications are often more diligent about keeping the software up to date.
Liam Tung: Can it be used to infect people's computers on what would be otherwise "trusted" websites?
Robert Lowe: I'm not sure exactly what you mean by "trusted" in this context. A web site would have to contain, or point to malicious content in order to exploit this vulnerability. So an attacker would need to set up a web site for this purpose or compromise an existing web site to include malicious content. Then if visitors to that web site have a vulnerable version of the JRE and their browser configured to allow the Java execution. This type of attack is not limited to Java, a similar attack would also be possible with recent Flash vulnerabilities:
http://www.auscert.org.au/7830
Also, FYI, there are also more recent similar Java vulnerabilities. e.g.:
http://www.auscert.org.au/7844
--
Robert Lowe
Computer Security Analyst, AusCERT
|
|
|
|
 |
|
 |
|
|