Alert Number: 030608-01
Alert Date: 03/06/08
Alert Title: Multiple vulnerabilities in Java
Update-to: None.
OS/Platform/Application:
Sun Java Web Start 1.x
Sun Java Web Start 6.x
Sun Java Development Kit (JDK) 1.5.x
Sun Java Development Kit (JDK) 1.6.x
Sun Java Runtime Environment (JRE) 1.4.x
Sun Java Runtime Environment (JRE) 1.5.x / 5.x
Sun Java Runtime Environment (JRE) 1.6.x / 6.x
Sun Java Software Development Kit (SDK) 1.4.x
(on all applicable computing platforms)
Category: ALERT
Severity: MEDIUM
Attention: Java Users, System Administrators, Desktop Support Personnel
Summary: Multiple Internet Security Agencies are currently reporting the discovery of numerous security vulnerabilites in the popular range of Sun Java products. The most likely method of exploit for these vulnerabilities is the visitation of a website that is hosting maliciously-crafted Java elements. If successful, exploitation of a vulnerable system could result in a range of negative outcomes including application crash and total system takeover. The vendor has made available upgrade software (patches) that fix these vulnerabilities.
Java technology is commonly used by web browsers to provide interactive content via small programs called applets and plugins. Since this technology is very popular many web browsers have Java products installed on them unbeknownst to the user. In some cases multiple versions of Java may be present on the same computer. It can sometimes be difficult to determine if Java is present on a computer (and if so what version or versions are running). The patches that have been made available from Sun to fix the vulnerabilities are in some cases specific to the type(s) of Java software running on a computer and it is therefore important to install the appropriate fix(es) for each computer. See the "Recommended Actions" section (below) for suggestions on determining the presence and version of Java on your computer if you do not already know how to do so.
Recommended Actions: System administrators, support personnel and Java users are encouraged to read the security advisories (safe links provided below) for more information about these vulnerabilities and to apply the patch(es) that are appropriate to their Java installations at their earliest convenience. If you are unsure if Java software is present on your computer or do not know how to check the version running on your computer please see the "Java Testing" links (below) for suggestions on how to perform this task.
Readers are encouraged to share this alert with family, friends, and associates who may use Java on their home computers.
ITS Actions: N/A
Resources:
JAVA TESTING
use these resources to determine the version running on your PC.
Sun Java Installation Verification (users are encouraged to try this resource first):
http://java.com/en/download/installed.jsp
Sun Java Virtual Machine Tester:
http://www.java.com/en/download/help/testvm.jsp
Javatester.org Testing (independent methods for determining if Java is running on
your PC, what version, etc):
http://www.javatester.org/version.html
-----
Secunia Advisory:
http://secunia.com/advisories/29239/
Update link for JDK and JRE 6 Update 5:
http://java.sun.com/javase/downloads/index.jsp
Update link for JDK and JRE 5.0 Update 15:
http://java.sun.com/javase/downloads/index_jdk5.jsp
Update link for SDK and JRE 1.4.2_17:
http://java.sun.com/j2se/1.4.2/download.html
