JPCERT-AT-2010-0010
JPCERT/CC
2010-04-16
<<< JPCERT/CC Alert 2010-04-16 >>>
Vulnerabilities in Oracle Sun JDK and JRE
https://www.jpcert.or.jp/at/2010/at100010.txt
I. Overview
Oracle JDK and JRE contain multiple vulnerabilities. As a result, a
remote attacker could execute arbitrary code by convincing a user to
view a specially crafted website. Attack sites that might be
exploiting this vulnerability have already been made public. Users
are recommended to apply a patch immediately.
Oracle Security Alert CVE-2010-0886
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html
II. Products Affected
Affected products and versions are as follows:
JDK and JRE 6 Update 19 and earlier
* The JRE is preinstalled in some PCs provided by certain
manufacturers. Just in case, make sure if the JRE is installed on the
PC.
III. Result of JPCERT/CC Verification
JPCERT/CC has examined the exploit code for this vulnerability.
[Verification environment]
OS: Windows XP SP3 (with April 2010 security update applied)
Browser: IE 8.0.6001.18702 or Firefox 3.6.3
- Verification result for JRE 6 Update 19
As a result of executing the exploit code in the above
verification environment with JRE 6 update 19 installed,
JPCERT/CC has confirmed that calc.exe is executed.
(The Java logo is displayed on the browser.)
- Verification result for JRE 6 Update 20
As a result of executing the exploit code in the above
verification environment with JRE 6 update 20 installed,
JPCERT/CC has confirmed that calc.exe is not executed.
(The Java logo is not displayed on the browser.)
IV. Solution
Apply the corrected software (update 20) provided by Oracle.
Java SE Downloads
http://java.sun.com/javase/downloads/index.jsp
When 64-bit Windows is used, either 32-bit JRE or 64-bit JDK/JRE, or
both may be installed. Users should check their JDK/JRE, and apply
the corresponding corrected software.
V. References
Oracle
Security Alert for CVE-2010-0886 and CVE-2010-0887 Released
http://blogs.oracle.com/security/2010/04/security_alert_for_cve-2010-08.html
JVNVU#886582
Oracle Sun Java Deployment Toolkit insufficient argument validation
https://jvn.jp/cert/JVNVU886582/index.html
ISS Tokyo SOC Report
Zero-day attacks exploiting a Java Deployment Toolkit vulnerability have been observed
https://www-950.ibm.com/blogs/tokyo-soc/entry/javaws-201004?lang=ja
If you have any further questions or information regarding this alert,
please contact JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top