Sun Java Plug-in Javascript Error Lets Remote Users Access Files and Applications
|
|
SecurityTracker Alert ID: 1012952 |
|
SecurityTracker URL: http://securitytracker.com/id/1012952
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 20 2005
|
Impact:
Denial of service via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier
|
Description:
Two vulnerabilities were reported in in the Sun Java Plug-in. A malicious applet can access local files and applications or interfere with other running applets.
A remote user can create an applet that, when loaded, will gain elevated privileges via malicious Javascript. The applet can read and write local files or execute local applications with the privileges of the user running the untrusted applet.
An untrusted applet may also be able to interfere with another applet within the same web page, causing the other applet to incorrectly load non-code resources such as files and web pages.
Sun credits Fujitsu with reporting these flaws.
SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier are affected.
JDK and JRE 5.0 are not affected.
|
Impact:
A remote user can access files and applications on the target user's system with the privileges of the target user.
A remote user can cause denial of service conditions.
|
Solution:
Sun has issued the following fixes:
SDK and JRE 1.4.2_06 and later and 1.3.1_13 and later
J2SE releases are available at:
http://java.sun.com/j2se/
J2SE 5.0: http://java.sun.com/j2se/1.5.0/download.jsp
J2SE 1.4.2_06: http://java.sun.com/j2se/1.4.2/download.html and http://java.com
J2SE 1.3.1_14: http://java.sun.com/j2se/1.3/download.html
|
Vendor URL: unsolve.sun.com/search/document.do?assetkey=1-26-57708-1 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 20 Jan 2005 03:42:53 -0500
Subject: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1
|
> Document ID: 57708
> Synopsis: Security Vulnerabilities With Java Plug-in in JRE/SDK
Sun reported a vulnerability in the Java Plug-in. A remote user can create an applet
that, when loaded, will gain elevated privileges via malicious Javascript. The applet
can read and write local files or execute local applications with the privileges of
the user running the untrusted applet.
An untrusted applet may also be able to interfere with another applet within the same
web page, causing the other applet to incorrectly load non-code resources such as files
and web pages.
Sun credits Fujitsu with reporting these flaws.
SDK and JRE 1.4.2_05 and earlier, all 1.4.1 and 1.4.0 releases, and 1.3.1_12 and earlier are affected.
JDK and JRE 5.0 are not affected.
SUn has issued the following fixes:
SDK and JRE 1.4.2_06 and later and 1.3.1_13 and later
J2SE releases are available at:
http://java.sun.com/j2se/
J2SE 5.0: http://java.sun.com/j2se/1.5.0/download.jsp
J2SE 1.4.2_06: http://java.sun.com/j2se/1.4.2/download.html and http://java.com
J2SE 1.3.1_14: http://java.sun.com/j2se/1.3/download.html
-----
Sun Alert ID: 57708
Synopsis: Security Vulnerabilities With Java Plug-in in JRE/SDK
Category: Security
Product: Java, JRE/SDK
BugIDs: 4883871, 5004017
Avoidance: Upgrade
State: Resolved
Date Released: 18-Jan-2005
Date Closed: 18-Jan-2005
Date Modified:
|
|
