Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

J2SE Runtime Environment (JRE) & Java SE Developer Kit (JDK) Update 8

Published: 2006-08-28
Last Updated: 2006-08-28 23:06:15 UTC
by Tony Carothers (Version: 3)
0 comment(s)
Sun has released Update 8 to for JRE 5.0 for download.  As an earlier diary discussed, versions prior to 5.0, Release 6, allowed applets and/or applications to call earlier unpatched versions.  What is the risk to me?  Having the ability to call earlier, unpatched versions could potentially allow an attacker to run her/his code of choice along with it.  The Java Runtime Environment and Java Developer Kit both have release 8.0 available for download here.

Update: Here is a submission from one of our readers (who wishes to remain nameless). I am pasting it here verbatim. Just shows the quality of our readers that makes the ISC what it is. Thanks.

* If the previous versions of SunJRE aren't installed, and the user doesn't have local admin, it's pretty hard for an applet to successfully request a previous version!  When installing new versions of SunJRE, always uninstall the old one.

* That said, I have personally run into many situations where applets demand older versions of Java.  The main problem is internal corporate developers that want to ensure they get SunJRE even on machines where MSJVM is the default.  They generally tend to instantiate their Java applet using a CLSID, and they use the specific version CLSID (i.e. "{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}"). 
Since I don't want to install old versions of Java, and I have absolutely no way of influencing the developers who maintain those websites, I have taken to subterfuge. 
What I do is add in CLSIDs for the earlier versions of SunJRE (the pattern is pretty obvious), but point them to the most recent patch level for SunJRE.  For instance, the following would point 1.4.2_06 to 1.4.2_12:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}]
@="Java Plug-in 1.4.2_06"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA}\InprocServer32]
@="C:\\Program Files\\Java\\j2re1.4.2_12\\bin\\npjpi142_12.dll" "ThreadingModel"="Apartment"

That seems to work as most of these applications don't really care about the differences between patch levels, and the applets don't test once Java loads, so as long as the CLSID is populated, Java starts right up.

I don't know if 1.4.2_12 and 1.5.0_06 populate these older CLSIDs automatically or if Java applets using old CLSIDs will simply fail to run.


Keywords:
0 comment(s)
Diary Archives