July 11th, 2008

Sun releases JRE Version 6 Update 7, 90% of desktops currently at risk*

Posted by Nathan McFeters @ 8:08 am

Categories: Arbitrary Code Execution, Black Hat, Black Hat Las Vegas, Browsers, Complex Attacks, Exploit code, Hackers, Java, Patch Watch, Research, Responsible disclosure, Reverse Engineering, Same Origin Policy, Sun Microsystems, ToorCon Seattle 2008, Vulnerability research, Zero-day attacks, ~Special Series~

Tags: Desktop, Sun Microsystems Inc., JRE, Programming Languages, Java, Software Development, Software/Web Development, Nathan McFeters

* The 90% of desktops currently at risk comes from numbers presented at the Java One Keynote in 2008.  If you aren’t patched, get the Java control panel up and get updated, or go to Sun’s site to download the update, cause this one’s big.

Yesterday Sun released JRE Version 6 Update 7 that according to Sun address eight issues.  Of course, wherever there is a Java update, you can assume John Heasman had a hand in it.  I’ve decided that number of Java Updates is directly related to the amount of John Heasman research time.  He’s had a hand in all of the recent Java updates.  You might remember Heasman from such ZDNet postings of mine as ToorCon Seattle 2008 (where I discussed numerous pieces of John’s research) and Defeating the Same Origin Policy Part 1 and Part 2.  From Heasman’s blog:

According to Sun’s Security Blog the latest update fixes 8 issues. I’ll be releasing advisories and blogging on the issues that I had a hand in, namely:

238666 Native code execution through malformed TrueType font headers in untrusted Java applet.

238905 Multiple buffer overflows in Java Web Start JNLP handling

238905 Security problems with the JRE family version support

If you’re thinking the first two issues sound all too familiar, you’d be right. I previously discussed this font issue that led to execution of arbitrary code. And the JNLP parsing code has had a number of similar buffer overflows (details here, here and here) … not so much “same bug, different app” (the theme of this Brett Moore presentation) as “same bug, same app!”

For the record, Black Hat this year will feature some more Java bugs, which actually may not be patched at the time of release during Black Hat.  John, Rob Carter, and I will be talking about this with a good chunk of the research being attributed to Billy Rios.  Not that I’m pimping our talk, but it will be outstanding and you should definitely come see it.  Ok, I’m pimping my talk, shoot me.

-Nate

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.