Sun Java Updates for Multiple Vulnerabilities
http://jvnrss.ise.chuo-u.ac.jp/jtg/trn/en/TRTA08-193A.html
JVNRSS based Status Tracking Notes: Sun has released alerts to address multiple vulnerabilities affecting the Sun Java Runtime Environment. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code.JVNRSS Feasibility Study Teamjvn@jvn.jpTRTA08-193A2008-07-20T10:29+00:002008-07-20T10:29+00:002008-07-20T10:29+00:00Sun Java Updates for Multiple Vulnerabilities
http://www.us-cert.gov/cas/techalerts/TA08-193A.html
Via US-CERT Mailing List
US-CERTTA08-193Ahttp://www.us-cert.gov/cas/techalerts/TA08-193A.html2008-07-11T16:04-04:002008-07-11T16:04-04:002008-07-11T16:04-04:00Sun Releases Updates for Java SE
http://www.us-cert.gov/current/archive/2008/07/10/archive.html#sun_releases_updates_for_java
US-CERT Current Activity
Sun has released updates for Java SE. These updates address multiple vulnerabilities in Java Runtime Environment (JRE), Java Web Start, Java Management Extensions (JMX), JDK, and Java Runtime Environment Virtual Machine. These vulnerabilities may allow a remote attacker to execute arbitrary code, bypass security restrictions, obtain sensitive information or cause a denial-of-service condition.
US-CERThttp://www.us-cert.gov/cas/techalerts/TA08-193A.html2008-07-10T08:30-04:002008-07-10T08:30-04:002008-07-10T08:30-04:00Java Update
http://isc.sans.org/diary.html?storyid=4699
Couple readers told us about a security relevant update to Java.
SANS Internet Storm Centerhttp://www.us-cert.gov/cas/techalerts/TA08-193A.html2008-07-10T02:51+00:002008-07-10T02:51+00:002008-07-10T02:51+00:00Security Vulnerability in Java Management Extensions (JMX)
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238965-1
A vulnerability in the Java Management Extensions (JMX) management agent included in the Java Runtime Environment (JRE) may allow a JMX client running on a remote host to perform unauthorized operations on a system running JMX with local monitoring enabled.
Sun Microsystems2389652008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00Security Vulnerability in JDK/JRE Secure Static Versioning
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238966-1
Secure Static Versioning was introduced in JDK and JRE 5.0 Update 6. With this feature, after the installation of a JRE 5.0 Update 6 or later release, applets are not allowed to run on an older release of the JRE. Due to a defect in the implementation, if an older release is subsequently installed, applets may run on that older release.
Sun Microsystems2389662008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00Security Vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted Application or Applet to Elevate Privileges
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238967-1
A vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet.
Sun Microsystems2389672008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00Security Vulnerabilities in the Java Runtime Environment may allow Same Origin Policy to be Bypassed
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238968-1
Security vulnerabilities in the Java Runtime Environment may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on machines other than the one that the applet was downloaded from. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to.
Sun Microsystems2389682008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00Security Vulnerabilities in the Java Runtime Environment related to the processing of XML Data
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238628-1
A vulnerability in the Java Runtime Environment related to the processing of XML data may allow unauthorized access to certain URL resources (such as some files and web pages) or a Denial of Service (DoS) condition to be created on the system running the JRE.
Sun Microsystems2386282008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00A Security Vulnerability with the processing of fonts in the Java Runtime Environment may allow Elevation of Privileges
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238666-1
A buffer overflow security vulnerability with the processing of fonts in the Java Runtime Environment (JRE) may allow an untrusted applet or application to elevate its privileges.
Sun Microsystems2386662008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00Security Vulnerabilities in the Java Runtime Environment Scripting Language Support
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238687-1
A vulnerability in the Java Runtime Environment relating to scripting language support may allow an untrusted applet or application to elevate its privileges.
Sun Microsystems2386872008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00Multiple Security Vulnerabilities in Java Web Start may allow Privileges to be Elevated
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1
Sun Microsystems2389052008-07-08T00:00-06:002008-07-08T00:00-06:002008-07-08T00:00-06:00Sun Java Web Start Sandbox Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-042
Vulnerability Reported
The specific flaw exists in the writeManifest() method of the CacheEntry class. A directory traversal flaw in this method allows the creation of arbitrary files on the target system. After the file has been created, a call to Runtime.getRuntime.exec() can be used to execute the file.
Zero Day Initiative (ZDI)ZDI-08-042http://www.us-cert.gov/cas/techalerts/TA08-193A.htmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-238905-12008-05-052008-05-052008-05-05Sun Java Web Start vm args Stack Buffer Overflow
http://www.zerodayinitiative.com/advisories/ZDI-08-043
Vulnerability Reported
The specific flaw exists in the GetVMArgsOption() function used while parsing the java-vm-args attribute of the j2se tag in xml based JNLP files. When a user downloads a malicious JNLP file, the vulnerable attribute is read into a static buffer. If an overly long value is defined by the java-vm-args attribute, a stack based buffer overflow occurs, resulting in an exploitable condition.
Zero Day Initiative (ZDI)ZDI-08-043http://www.us-cert.gov/cas/techalerts/TA08-193A.htmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-238905-12008-01-172008-01-172008-01-17