funsec mailing list archives

RE: Security Vulnerabilities in the Java Runtime Environment

From: "Todd Towles" <toddtowles () brookshires com>
Date: Wed, 8 Feb 2006 15:43:10 -0600

http://secunia.com/advisories/18760/ - "Reflection" API

http://secunia.com/advisories/18762/ - "Java Web Start Sandbox Security
Bypass"

-Todd

-----Original Message-----
From: funsec-bounces () linuxbox org 
[mailto:funsec-bounces () linuxbox org] On Behalf Of Fergie
Sent: Wednesday, February 08, 2006 2:45 PM
To: funsec () linuxbox org
Subject: [funsec] Security Vulnerabilities in the Java 
Runtime Environment

These seem like they are quite serious, actually.

FYI,

- ferg


[via sun]

# Sun Alert ID: 102171
# Synopsis: Security Vulnerabilities in the Java Runtime

Environment

may Allow an Untrusted Applet to Elevate its Privileges # Category: 
Security #
Product: Java 2 Platform, Standard Edition # BugIDs:

6277246, 6316316,

6316314, 6316322, 6343309, 6343350, 6343342 # Avoidance: Upgrade # 
State: Resolved # Date Released: 07-Feb-2006 # Date Closed: 
07-Feb-2006 # Date Modified:


Seven (7) vulnerabilities with the use of "reflection" APIs

in the Java

Runtime Environment may independently allow an untrusted

applet to elevate

its privileges. For example an applet may grant itself

permissions to read

and write local files or execute local applications that

are accessible to

the user running the untrusted applet.

[snip]

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

- ferg



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Security Vulnerabilities in the Java Runtime Environment Fergie (Feb 08)
- <Possible follow-ups>
- RE: Security Vulnerabilities in the Java Runtime Environment Todd Towles (Feb 08)