Re: Java - JRE, SDK Java Web Start

[jfvanmeter () comcast net]

Hello Sapa3a, so if I wrote called that would place a called down c:\program files\myprogram\jre\1.5.0_09 and then 
convinced a user to run in it "Internet Explorer" or possible Outlook, or just good old "Windows" you don't think I 
could exploit a vulnerability in that version?

I know with the Sun Java Web Start vulnerability there are several workaround if you can't update to the newest version 
of jre

To work around this vulnerability, if you are not actively using Java WebStart, remove the .jnlp content type 
association in your registry:

- HKLM:Software\Classes\.jnlp
- HKLM:Software\Classes\JNLPfile
- HKLM:Sofrware\Classes\MIME\Database\Content Type\application/x-java-jnlp-file

By deleting these registry keys, Java WebStart will no longer be used to open .jnlp files, thereby mitigation this 
vulnerability.

Other work abounds

- Disable Java Web Start applications from being launched from a web browser:
Internet Explorer:
Right click on the "Start" button and select "Explore"
In the "Start Menu" window, select "Tools" => "Folder Options"
> From the "Folder Options" window, select the "File Types" tab
> From the "Registered File Types" window, scroll down and locate the
"JNLP - JNLP File"
Select the "JNLP - JNLP File" and click the "Delete" button

- On Windows, applications may also be launched from the desktop icon or from the "Start" menu if a shortcut was 
previously created for an application. Unknown applications should not be launched through the desktop icon or the 
Start Menu. Shortcuts can be removed by using the Java Web Start Application Manager through the "Application/Remove 
Shortcut" menu item. For more information, see:

http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/overview.html

- It is also possible to launch applications through the command line in Windows. Unknown applications should not be 
launched through the command line. Sites may consider renaming the Java Web Start launcher ("javaws.exe" for Windows) 
to prevent Java Web Start from launching.

The launcher can be found at C:\Program Files\java\j2re1.5.0\javaws\javaws.exe (or down my path c:\program 
files\myprogram\jre\1.5.0_09\javaws.exe)

Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability
Patch Information http://www.securityfocus.com/archive/1/archive/1/473224/100/0/threaded
 
Security Focus -  http://www.securityfocus.com/bid/24832 

So I think JRE can be exploited directly on a "WINDOWS" system

Best Regards --John

 -------------- Original message ----------------------
From: 3APA3A <3APA3A () SECURITY NNOV RU>
> Dear jfvanmeter () comcast net,
>
>  Vulnerability  in JRE itself can not be exploited directly. It can only
>  be  exploited  through  some  JAVA-enabled application, browser in most
>  cases. In case of e.g. JAVA-based Cisco VoIP software, vulnerability in
>  JRE  can only be exploited in case vulnerability is in in some function
>  used  with  remote  user-supplied  arguments. It's rare enough case for
>  Java.  In  this  case,  I believe, Cisco (or write any different vendor
>  here)  should issue an update for it's software. It's not necessary for
>  Cisco  to  update  software every time JRE is updated, if vulnerability
>  doesn't affect Cisco product installation.
>
> --Monday, July 16, 2007, 7:18:37 PM, you wrote to vuln-dev () securityfocus com:
>
> jcn> How does everyone feel about java being installed by vendors
> jcn> in a propriety path i.e. program files\mysoftware\bin\jre\1.4.0\
> jcn> and never patching it. 
>
> jcn> I ran an enterprise scan to looking for javaws.exe and found
> jcn> it in 175 unique paths. Should they be held accountable for the
> jcn> patching of java when they install it?
>
> jcn> I had one vendor who installed java 1.3 and 1.4, and when I
> jcn> ask them about it. There statement was “you don’t have the modules
> jcn> that require those versions you can just delete them”
>
> jcn> How does everyone patch Java that is not installed in its default location?
>
>
> -- 
> ~/ZARAZA http://securityvulns.com/