1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Sun Java Get Sound Bank BO

HTTP Sun Java Get Sound Bank BO

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature will detect attempts to exploit a remote code-execution vulnerability in Sun Java SE.

Additional Information

Sun has released updates to address multiple security vulnerabilities in Java SE:

1. A weakness affects the Java Update Mechanism on non-English versions of Microsoft Windows. The weakness may prevent updates to Java Runtime Environment (JRE) when a new version is available. This introduces a false sense of security and may allow attackers to exploit other issues. (SUN Alert ID 269868, CVE-2009-3864)

2. An command-execution vulnerability exists in the the JRE Deployment Toolkit. The issue occurs in the 'launch' command of the JRE Deployment Toolkit. The command method accepts an arbitrary string as an argument, and passes it as a command-line argument to 'jawaws.exe'. This can be exploited when a user visits a specially crafted site with Microsoft Internet Explorer or Mozilla Firefox. (SUN Alert ID 269869; CVE-2009-3865)

3. A security vulnerability may allow attackers to run an untrusted Java Web Start application as a trusted application. The problem occurs in the implementation of the security model permissions during the removal of installer extensions. This will allow arbitrary code to run when a user visits a specially crafted site. (SUN Alert ID 269870)

4. Multiple buffer-overflow and integer-overflow vulnerabilities occur when processing audio and image files. These issues may allow an untrusted applet to run arbitrary code with elevated privileges. (SUN Alert ID 270474)

These issues include:

- A stack-based buffer overflow occurs when processing long 'file://' URL arguments in the 'HsbParser.getSoundBank()' function. (CVE-2009-3867)

- A stack-based buffer overflow occurs in the 'setDiffICM' AWT library function when processing arguments. (CVE-2009-3869)

- A heap-based overflow occurs in the 'setBytePixels' AWT library function when processing arguments. (CVE-2009-3871). This issue exists due to insufficient input validation when passing parameters from Java code into native methods.

- An integer overflow occurs when processing JPEG image dimensions.

- A stack-based buffer-overflow occurs when parsing of an overly long tag in Image Color Profile. (CVE-2009-3868)

5. An unspecified security vulnerability that is related to verifying HMAC digests may allow attackers to forge a digital signature that would be accepted as valid. The issue potentially affects applications that validate HMAC-based digital signatures. (SUN Alert ID 270475)

6. Two denial-of-service vulnerabilities affect JRE running on servers and can be used to cause high memory consumption and denial-of-service conditions. These issues are related to decoding DER-encoded data and parsing HTTP headers. (SUN Alert ID 270476) (CVE-2009-3877)


The full list of bug fixes is as follows:

1. 'ICC_Profile' allows detecting if files exist (CVE-2009-3728)
2. A denial of service in TrueType font parsing when testing Sun Bug 6751322 (CVE_2009-3729)
3. A problem where X11 and Win32GraphicsDevice don't clone arrays returned from 'getConfigurations()' (CVE-2009-3879)
4. An issue in the JPEG JFIF Decoder (CVE-2009-3872)
5. A stack overflow in JRE AWT 'setDifflCM' (CVE-2009-3869)
6. A heap overflow in JRE AWT 'setBytePixels' (CVE-2009-3871)
7. 'Component' and '[Default]KeyboardFocusManager' pass security-sensitive objects to loggers (CVE-2009-3880)
8. An issue that allows Resurrected ClassLoaders to have children (CVE-2009-3881)
9. MD2 is not properly disabled in certificate chain validation (CVE-2009-2409)
10. 'MessageDigest.isEqual' contains timing attack vulnerabilities (CVE-2009-3875)
11. An issue in the ASN.1/DER input stream parser (CVE-2009-3877)
12. A stack buffer-overflow in Sun Java 'HsbParser.getSoundBank' (CVE-2009-3867)
13. Multiple static security issues in Swing (CVE-2009-3882, CVE-2009-3883)
14. Windows PL and F contains mutable statics
15. 'TimeZone.getTimeZone' can allow probing of the local filesystem (CVE-2009-3884)
16. A denial of service when parsing BMPs with UNC ICC links (CVE-2009-3885)
17. A quantization problem in the JPEG Image Writer (CVE-2009-3873)
18. A heap overflow in ImageI/O JPEG (CVE-2009-3874)
19. A malfunction in Java Update (CVE-2009-3864)
20. The Deployment Toolkit plugin 'launch' method is vulnerable to unspecified exploits (CVE-2009-3865)
21. Arbitary code execution in Java Web Start (CVE-2009-3866)
22. A regression problem when running JNLP app and applets with signed Jar files (CVE-2009-3886)

Successful exploits may allow attackers to bypass certain security restrictions, run untrusted applets with elevated privileges, execute arbitrary code, and cause denial-of-service conditions. Other attacks are also possible.

These issues are addressed in the following releases:

JDK and JRE 6 Update 17
JDK and JRE 5.0 Update 22
SDK and JRE 1.4.2_24
SDK and JRE 1.3.1_27

Affected

  • Sun Java SE in JDK and JRE 6 Prior to Update 17
  • Sun Java JDK and JRE 5.0 Prior to Update 22
  • Sun SDK and JRE Prior to 1.4.2_24
  • SDK and JRE Prior to 1.3.1_27

Response

Updates are available. Please see the references for more information.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube