Status Tracking Note JVNTR-2010-14

Java Deployment Toolkit insufficient argument validation (VU#886582)

Overview

The Sun Java Deployment Toolkit plugin and ActiveX control perform insufficient argument validation, allowing an attacker to perform several attacks, including the execution of an arbitrary JAR file.
Event Information

Date (UTC)Description
2010-04-16 13:13 US-CERT
Oracle Releases Sun Java SE 1.6.0_20
US-CERT Current Activity
Oracle has released Sun Java SE 1.6.0_20 to address several vulnerabilities. The release notes for this version of Java SE indicate that these vulnerabilities are in Java Deployment Toolkit and the new Java Plug-in. Exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to execute arbitrary code.
2010-04-16 02:41 JPCERT/CC
JPCERT-AT-2010-0010: Vulnerabilities in Oracle Sun JDK and JRE
2010-04-15 19:52 Oracle
Oracle Security Alert CVE-2010-0886
2010-04-15 11:47 Symantec
ThreatCON (2) => (2)
Java Runtime Environment 1.6.0_20 is released which seems to address the code-execution vulnerability (BID 39346) affecting Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins. This issue is reported to be exploited in the wild.
2010-04-14 15:00 Trend Micro
JS_WEBSTART.A
Exploiting vulnerability (CVE-2010-0886)
2010-04-13 22:22 US-CERT
TA10-103C: Adobe Reader and Acrobat Vulnerabilities
Via US-CERT Mailing List
2010-04-13 14:09 US-CERT
Sun Java Deployment Toolkit Plugin and ActiveX Control Vulnerability
US-CERT Current Activity
The Sun Java Development Toolkit plugin and ActiveX control contain a vulnerability. This vulnerability is due to insufficient argument validation. By convincing a user to visit a specially crafted HTML document, an attacker may be able to exploit this vulnerability and execute an arbitrary JAR file on the affected system.
2010-04-09 16:47 Symantec
ThreatCON (2) => (2)
Oracle Java JRE, since version 6 Update 10 are prone to multiple remote code execution vulnerabilities (Other versions might also be affected). The issues stem from an insufficient validation of user-supplied input.
2010-04-09 11:08
Java Deployment Toolkit Performs Insufficient Validation of Parameters
Vulnerability Proof Of Concept (CVE-2010-1423)
#Tested:cpe:/o:microsoft:windows_xp + cpe:/a:sun:jre:1.6.0:update19

Reference

Date first published (UTC): 2010-04-24T02:19+00:00
Date last updated (UTC): 2010-04-24T02:19+00:00
Valid HTML 4.01!